Sunday, November 07, 2010
News reports let UH off the hook for security breaches
by Larry Geller
Today’s Star-Advertiser article UH cybersecurity audit advised (11/7/2010) largely lets the University of Hawaii off the hook for the security breaches described.
The article blames the latest breach on the actions of a retired professor who posted data including student social security numbers and other personal data to an unprotected web server. Almost 41,000 students were affected.
The “one bad apple” defense doesn’t hold up well. In fact, the breach began earlier—when that data was given by the University to the professor in the first place. It was not necessary to have given him social security numbers—all he needed was the basic data for his research, identified by a random record number.
The other two incidents also originate from failures of UH to protect personal information. The hacked data on 15,000 Kapiolani Community College students who applied for financial aid was stored on the computer unencrypted and accessible to a hacker. The parking lot breach, affecting 53,000 people, 40,870 Social Security numbers and 200 credit cards, was also a UH failure at base: The personal information, including social security numbers, should not have been collected or stored in the first place, and again, was not protected by encryption.
Finally, contrast UH response with the article appearing on page A12, 12,000 workers’ data breached. The agency concerned has paid for employees to enroll in a one-year program to monitor their credit reports and provided them with up to $25,000 in identify theft coverage.
Media coverage of the UH incidents indicate that UH has provided those affected with—nothing, basically.
These breaches should not be shrugged off. The 2011 state legislature will have the opportunity to create accountability through fines or other means—if enough students or citizens demand it. Hint: new bills are being written now for the upcoming session. If you plan to contact your House or Senate representative, best to do so soon.
Links to this post: