Wednesday, July 07, 2010
UH lax computer security to blame for massive leaks of private information
by Larry Geller
The compromised 53,000 personal records from the UH parking computer can’t be blamed on some teenager in China. The fault belongs to our high-tech university that can’t or won’t protect the data entrusted to it.
There were 40,870 Social Security numbers and 200 credit cards that were possibly compromised, officials said. [Star-Advertiser, UH breach affects 53,000, 7/7/2010]
Let’s cut to the chase here. It is not and never was necessary for the University of Hawaii to have asked for or stored social security numbers for parking purposes. More important, the SS numbers and credit card information was stored in an unencrypted database, vulnerable to copying by internal (employee) or external (hacker) thieves, whomever got there first.
In other words, the University of Hawaii’s negligent data policies were responsible for the data theft. Nor was this the first time personal data was exposed by UH. The article also mentions:
On May 15, 2009, 15,000 student records were compromised at Kapiolani Community College. The information included names, addresses, phone numbers, birth dates and Social Security numbers. The computer was on a local network where information was kept for processing financial aid. That case was closed after it was determined that no one had been harmed financially.
Sure, when data is taken, a crime has been committed. As we see here, law enforcement focuses on tracking down the thief, while the computer owner puts a finger in the dyke to plug the hole that let the data out. Eventually, a leak will happen elsewhere. The fundamental problem, which is that data is conveniently made available for the taking, has not been solved.
Look at this another way: if you lived in midtown Manhattan and left a couple of boxes full of expensive electronic items visible on the back seat of your car, would you expect to find the stuff still there when you return?
Yes, taking the goodies out of your car would be theft, and you could file a police report on it. But the responsibility was yours to at least safeguard the goods, and you didn’t do that. You might as well have put a “take me” sign on the boxes before you left.
It will be up to the students, faculty and others potentially affected by the university’s inadequate security policies to initiate action to have them corrected. And they ought not to wait very long. The chances are good that there’s more unprotected data available for the grabbing. UH obviously didn’t learn from the May, 2009 security leak that it needed to correct its inadequate practices, and they may not learn from this one.
The word is out that UH collects but doesn’t guard personal data on its computer systems, and that alone will be enough to encourage hackers and identity thieves to have a try at getting the goodies.
Without system-wide enforcement and auditing of a sound data collection and protection policy, it is just a question of time before the next breach occurs at the University of Hawaii.
Thank you , Larry for being on top of this. It is an outrage.
And to think the UH keeps demanding more autonomy from the state (so they can go hog wild in the military and level 4 lab work)
Unauthorized access is prohibited by law in accordance with Chapter 708, Hawaii Revised Statutes; all use is subject to University of Hawaii Executive Policy E2.210.
E2.210 pretty much says it all. Havenʻt read 708 yet.
I wonder if the hacker in China was familiar with Chapter 708, HRS.
I wonder if anyone is familiar with UH Executive Policy E2.210.
Thanks again, Larry.
Why is it that only the ʻcommonersʻ (tax paying workers) have their feet held to the fire if a law or rule is broken, never the big violators. For a government violator itʻs an automatic attitude of forgiveness or denial.
It should be the other way around and people in positions of protecting the public trust need to be held to a higher standard. I kind of remember a day when it ʻseemedʻ that was the way.
So regarding the breach, oneʻs security may not be affected early on and months or a year down the road when an account is tapped, no one will have this breach in mind.