Sunday, October 31, 2010
Further on latest UH personal data leak
by Larry Geller
Many more thoughts have gone through my mind since posting Is there an attorney who can defend us against University of Hawaii data leaks? (10/30/2010) yesterday.
That article is in reaction to the latest leak of personal data by the University of Hawaii. This time, my personal data (including social security number) was leaked, and I’m very concerned.
A faculty member at the West Oahu campus apparently inadvertently uploaded personal information of 40,101 students to the Web.
"The part that really disturbed me is when he was asked, 'Why did you move it to this server?' his answer was, 'Because I didn't have enough room on my home computer,'" said Aaron Titus, an attorney and the coalition's privacy director. [Star-Advertiser, Privacy protector found UH data dump, 10/30/2010]
Let me list up my thoughts. I still hope there is some attorney out there who might be thinking “c l a s s a c t i o n.”
I don’t recall giving the University of Hawaii my consent to use the information I submitted to them for research purposes. I provided information to them for the purposes of taking courses and later for admission. That’s it.
Maybe I signed something with fine print in it. I’m going to write to them and ask for a copy of any consent I gave them to be a subject of research.
If the research involved is considered research on human subjects, then certain federal laws may apply. I’m no expert, but for example, according to 21 CFR 50.20:
"no investigator may involve a human being as a subject in research covered by these regulations unless the investigator has obtained the legally effective informed consent of the subject or the subject's legally authorized representative."
More (from various academic sites on the Web:)
The investigator must enumerate how privacy and confidentiality concerns will be approached. Researchers must be sensitive to not only how information is protected from unauthorized observation, but also if and how participants are to be notified of any unforeseen findings from the research that they may or may not want to know.
A researcher does not need names and social security numbers. Established practice requires only that each data record have some unique identifier. There should be nothing in the records provided to the researcher that could associate the data with a particular individual. This is very basic.
Who was supervising this faculty member? What standards of ethics were enforced? What certifications needed to be turned in to gain access to the data?
Access to data
Who provided this data to the faculty member? A chain of custody needs to be established (if an attorney gets involved, it will come out during the discovery process). Someone turned over the personal data, and that was the first security breach. What rules applied to turning over the data? Were rules broken? Was data turned over to a researcher who had an adequate computer and procedure at work (not at home!) to safely protect the data?
If the research was considered to be human subject research, what committee approved it, what committee reviewed and authorized the release of the data to the researcher?
Whether or not this is considered human research, the research design appears flawed. There was no need for the researcher to have personally identifiable information. Again, what committee reviewed this research? What approvals were given, if any?
University lack of reaction
In the event that sensitive personal information has been breached, for example, names along with social security numbers, the university should have taken steps to immediately notify anyone affected. Time is of the essence. Perhaps someone wants to take protective action as a result of the breach. They need to know first that their data has been leaked.
I still have not been notified by UH that my data was in the batch that got out. I found out by going to the website mentioned in the newspaper article.
Failure of the university to remedy potential problems
UH did not offer to cover the cost of identity theft insurance or otherwise inform me of steps they are taking that will protect me against the potential cost of their security breach.
If information from any of the UH security leaks is in the hands of a third party, it can be sold any time in the future. This causes me a great deal of concern and even what I think is described as “mental anguish.” Who knows when the shoe will drop?
Inadequate procedures, any fix in sight?
The breached data was kept on the faculty member’s home computer. How was that allowed? Are there other instances of data on home computers, and what is being done to assure that data is not only removed but that the hard drives are being scrubbed clean? It isn’t enough to delete the data. In actuality, the data is still on a hard disk even though it is deleted. It takes a special procedure to get rid of it forever.
Have all personnel been asked to state whether they possess personally identifiable data in any form, on paper or in computer, or whether they have possessed such data and how it was destroyed?
If a home computer is stolen or sold, anything on the hard disk goes with it. The UH inquiry should include home computers. I’ll go further: action should be taken against anyone keeping sensitive personal information on home computers. And against anyone providing sensitive personal data who does not also provide procedures and checks to make sure the data is not stored improperly.
Repeated leaks are unacceptable
From my earlier article, quoting the security website that discovered the leaked data via Google:
This latest breach follows on the heels of a May, 2010 breach involving 53,000 students, and a 2009 breach involving 15,487 parents and students.
The UH is repeat offender. A comprehensive solution is needed.
Thanks for following up on this and getting mad. More of us should be getting mad. Itʻs peoples lives that are jeopardized.
Hereʻs an email to my teacher July 7, 2010 AND REPLY.
...I didnʻt know who else to contact about this really disturbing fact that UH has breached the students security. I had put a lot of faith in the assurances that our info was safe. It does not matter to me that itʻs only ʻsomeʻ students data and not all campuses; itʻs wrong that they were that careless.
Itʻs ironic, I canʻt even log in to UH for some reason but hackers can maneuver around easily.
Do you have any ideas as to whether we can petition for or demand the security that is warranted? Or is there any action being taken?
I was not even notified through my .edu address but discovered the act via a local blog writer who is pretty outraged.
Anyway, hereʻs his site and his article.
Instructorʻs Response: (July 8)
....I did hear about the security breach, and wondered if my information was in there, as I had a Manoa parking pass for several years. I am not sure what the chain of command is for parking control. You may want to start by asking David Lassner's office. He's the UH Vice President for Information Technology, and his number is 808 956-3501. If his office is not in charge, they may be able to refer you to the office that is.
If you are concerned about the security of your credit card information, in the future you may want to use a credit card that offers ShopSafe protection. This allows you to create a dummy credit card number up to a credit limit that you specify, for online purchases. You could create one for the exact amount of your UH tuition and use that to pay online, and then if the number is hacked, it's useless to the hacker. Here's a brief description of how ShopSafe works.
Well, thatʻs fine and dandy but what if it is tooooo late for ʻʻʻshop-safeʻʻʻ? And this kind of stuff makes me suspect companies like shop-safe that come in with automatic fixes for problems???
There should be more alarm that this happened. I know DAMN well that if I did some insignificant little boo-boo at that UH, accidental ʻplagiarismʻ or something...thereʻd be a big PUNISHMENT.
Thanks to both Anonymous for the comments.
Yes, anything that is ok to post is welcome (that is, if the emails you mentioned were intended as private communications of others, maybe not).
I hope a dialog can be started, certainly here, but everywhere.
Also, the bank protection programs aren't enough, and they have been put in place in part to protect the banks themselves. The ID theft problem goes beyond use of credit cards.
Here are some more communications on July 8, 2010:
The issue about the security being breached was not through the ITS database, but with the Parking Office database at University of Hawaii at Manoa. These are two different databases. We do not manage or handle the Parking Office database. Any issues you have with the security of the Parking Office database should be addressed to the Parking Office.
ITS Help Desk Consultant
Thank you, XXXXX, but I do believe this matter should be taken extremely serious and if someone is responsible negligently it needs to be dealt with.
And I say this to you as well because it is not a ʻfragmentedʻ issue. The University of Hawaii Executive Policy E2.210 says it all and is very clear and applies to all tech sections.
The issue is being taken seriously and affected accounts are being notified. An incidence team has been created and contacted for further information with the the Security Breach. The following is their e-mail address if you would like to contact to them on the issue: email@example.com.
ITS Help Desk Consultant
Thank you for the update. It would be helpful if all UH members/students were kept in the loop when things like this happen. It really instills confidence and trust. The silence and no notification puts it all in an automatic bad light. People can handle the truth and can be very accommodating if things are presented on the up and up.
Mahalo for your response.
Iʻm getting off topic here from my last posts but thought you might be interested in this:
1 November 2010
Road to Hope (R2H) Convoy in Positive Dialogue with Egyptian Officials
Access to Gaza via Egypt looking likely
Arriving at the Libyan/Egyptian border on 26 November, 2010, the Road to Hope Convoy continues to wait at the border. However, over the last two days increasingly positive communications with Egyptian officials gives us reason to be optimistic and the final manifest of vehicles and convoy members has been requested and received by the Egyptian Government in Cairo. We now await final approval.
“Although the outlook for an expeditious approval to proceed with our mission is likely, we have always been prepared for the ups and downs and challenges that have been commonplace when attempting to deliver aid to Gaza. If we were to move forward in the next day or two this would be one of the most trouble-free convoys yet.” – Convoy Leader Kieran Turner
“Our chief desire is to continue our journey to Gaza by land as soon as possible and fulfill our mission, nevertheless, we are prepared for any possibility. Hopefully Egypt maintains its commitment to receiving aid destined for Gaza. A successful and relatively trouble-free conclusion to our convoy will help to affirm Egypt’s commitment, thus shifting the burden of responsibility to people of conscience to support the people of Palestine in Gaza until the Israeli blockade is completely broken.” – Ken O’Keefe
Of secondary concern are the R2H Convoy participants who are survivors of the Israeli attack on the Mavi Marmara; they are proven humanitarians and we hope there will be no hindrance in their ability to complete this mission.
Mavi Marmara survivors – Ken O’Keefe (Ireland), Laura Stuart (UK), Ibrahim Musaji (UK), Ali Awasi (UK), Babu Zanghar (UK), Tauqhir Shareef (UK), Sakir Yildrim (UK).
London – Eleanor Merton +44 777 037 6701
Libya / Egypt – Kieran Turner & Ken O’Keefe +21 891 802 0981
Aloha Palestine - Managing Director
SafeTrade - 'The commercial exchange of non-hazardous items that pose no danger to society. Trade conducted transparently and fairly that develops prosperity while fostering stability and building security in the region where it is conducted.'
Yes, it is off-topic but I didn't want to lose the information you sent. I have to get back to Israel/Palestine/Gaza soon.
Thank you, Larry for all you do and the quick posting of the Press Release.
These guys need all the hoorah and support they can get.
Right on , Larry. Thereʻs an incredible amount of issues.
In that case how about setting up a communicado with Ken? Heʻs our guy from Hawaii, the former marine.