TechHui

Hawaiʻi's Technology Community

Third Major UH Data Breach in One Year


I debated posting this because we have so many great UH faculty members as members, and I don't want this to turn into a bash-fest on the people who were instrumental in helping us grow this community. That being said, it wouldn't be honest for us not to address the issue. Obviously three major security breaches in a year indicates a very serious problem. I'm sure most of you have read the articles, but for those who haven't:

From the Star Advertiser:

Washington, D.C.-based privacy policy institution.


A faculty member at the West Oahu campus apparently inadvertently uploaded personal information of 40,101 students to the Web. The information belongs to students who attended the West Oahu campus from 1988 to 1993, and Manoa students from 1990 to 1998 and in 2001.

The information was posted by a now-retired Institutional Research Office faculty member at 2:46 p.m. Nov. 30, 2009.

Everything from a student's Social Security number and citizenship to the highest level of education attained by parents, marital status and addresses were available online until Oct. 18, when the Liberty Coalition in Washington, D.C., discovered the information through a Google search.

Full Article

The evidence that we have a problem is incontrovertible. Rather than attacking UH, lets figure out how we can help. I've listed some of my ideas below. If you know something about security, please contribute yours.

  1. Independent Audits: UH should undergo an independent SAS 70 Type II Audit. If our schools are going to hold sensitive data about us, we should hold them to the same standards as anyone else who has our credit card information and/or social security data. The criteria for the audit should be established by a panel of IT professionals from the private sector (see 4 below.)
  2. Expand the Authority of the Office of the CIO: To our friends at UH, if I'm wrong feel free to correct me, but I have the impression that many groups within UH skirt the rules established by the CIO. They seem to do this by establishing IT groups internally that do not report into the Information Technology Services department. If you have a computer, the rules should apply to you, and the CIO should have the ability to say you have violated those rules which, in egregious cases, should result in your immediate termination.
  3. Enforce the Rules that Already Exist: UH has a policy that social security numbers should not be used to identify students. If you break this rule, you should be fired immediately.
  4. Create an IT Advisory Board Composed of Private Sector Experts: This group would meet with the CIO quarterly and be available to render advice when needed.

There is no such thing as perfect security for any non-trivial system. That being said, we need to raise the bar considerably. The success of UH is critical to our state, and that success is contingent on students feeling that their personal data is secure.

Views: 217

Comment

You need to be a member of TechHui to add comments!

Join TechHui

Comment by Paul Graydon on October 30, 2010 at 3:56pm
I would appreciate some clarity from those who have more direct knowledge of UH and its IT Infrastructure. Most of what I've heard are just odd comments from various folks and may not be actually reflecting of the real situation.

My understanding is that the bulk of the Sysadmins and IT people at UH are students, not experienced professionals? If that truly is the case, whilst student sysadmins are cheap and it's a great opportunity for them to learn and certainly great for helping them when it comes to getting jobs, it does concern me somewhat that you have sysadmins working in production environments with no real world understanding of IT security, just academic. We all know there is a world of difference between theory and practice in any field. No one drives a racing game and then expects to be able to drive an actual car with the skills they've gained.

It strikes me that it really should be quite simple to avoid security gaffs like this one by using pretty standard methods: No staff member except the sysadmins or equivalent should have access to any public facing servers. Everything that goes onto a public server should require deployment in one form or another by a sysadmin team. Public facing servers should all be extremely secure and should all be in a DMZ.


My wife is in the affected time period, we're just hoping her information wasn't disclosed
Comment by Daniel Leuck on October 30, 2010 at 3:47pm
We received this information from a source within UH:
Right now I can list five different business units at UH that I have personally observed using SSN's as identifiers. A couple weeks ago a student asked me for my SSN when I had to have my ID re-issued as a student ID! Incredible! This is contrary to UH policy. They have been transitioning away from using SSN's since 2002. Since June they have been trying to find a scanning tool to remove SSN's (use Cornell spider!) What is the hold up? Do they not have support they need? As members of the general public, what can we do to help?
Comment by Brian on October 30, 2010 at 2:53pm
I guess I can consider myself fortunate that it appears my information was not disclosed despite being at UHM during that time period.

Thanks for the link Cameron, I'm pretty cynical yet still shocked to see some incompetent (and yes, he was) professor was given access to such a large and detailed database.
Comment by Cameron Souza on October 30, 2010 at 2:36pm
Original press release from National ID Watch
Comment by Daniel Leuck on October 30, 2010 at 2:13pm
Phill - Those are good points. The criteria for the audit should be set by an IT advisory board made up of IT professionals from the private sector. I've added that to the post.
Comment by Daniel Leuck on October 30, 2010 at 2:10pm
Brian - I agree. There has to be consequences. We cannot take a laissez-faire approach to data security.

There is absolutely no reason for any professor to have access to social security numbers. Those who currently do should be given one month to replace them with a new identification system. Failure to do so should result in immediate termination.
Comment by Brian on October 30, 2010 at 2:01pm
The most troubling thing I found about the article was the reaction to the faculty seemed to be along the lines of "Oh he's some bumbling old guy that didn't know any better".

I'm sorry, but this isn't the 1980s, there needs to be accountability. If he's retired he should have his pension yanked, be prosecuted, or otherwise have some sanctions imposed. While I don't mean to imply that throwing this guy to the wolves is the whole or even most of any solution, there needs to be real accountability and consequences - not just to the individuals but to the chain of command that is responsible for this information.

"The faculty member was trying to update a previous study he had done on why students drop out of college." Why on earth would this require social security numbers, addresses, and names, etc? Non-PII metrics are more than adequate. The data owners of this information should be fired or otherwise severely reprimanded.

Sponsors

web design, web development, localization

© 2025   Created by Daniel Leuck.   Powered by

Badges  |  Report an Issue  |  Terms of Service