Friday, November 19, 2010
UH begins scanning its servers for sensitive data
by Larry Geller
It appears that the University of Hawaii has at last begun to scan its servers for potential private information that may lurk anywhere in the UH system.
This action comes hot on the heels of the filing Thursday of a lawsuit by a former UH student affected by multiple UH data breaches, and after a widely circulated report by the Liberty Coalition graded UH as an “F” for poor privacy and personal data security practices. It lags by five months a commitment by UH to the Legislature to Scan systems to find sensitive information repositories (see the Liberty Coalition report, page 11). UH promised again to scan all systems in October (report, page 12).
Had the university routinely scanned its servers for personal data, the huge personal information breach of more than 40,000 student records from an unsecure server would very likely have been prevented, as would the May, 2010 breach involving 53,000 students, and a 2009 breach involving 15,487 parents and students.
UH webmasters may now receive an email report similar to this one:
From: Web Support <firstname.lastname@example.org>
You are receiving this email because you are listed as a website contact or developer for a website hosted on one of the ITS managed UH web servers.
Departments are prohibited from keeping PII (Personally Identifiable Information) on publicly accessible UH web servers or databases. This will eliminate exposure of SSNs, credit card numbers, financial information and other personally identifiable information. Any sensitive information is required to be protected in accordance with UH Executive Policy E2.214 "Security and Protection of Sensitive Information" (http://www.hawaii.edu/apis/ep/e2/e2214.pdf).
On a routine scan for numbers in the format #########, we found numbers that *may* be SSNs in your website directory (ies). Please check ASAP the following website files/directories for possible PII and remove them:
Please note, that the numbers that were flagged may or may not be actual SSNs, however, they were flagged because they follow the form of SSNs (#########) and, thus, could be SSNs. Read permissions have been removed from the suspected files as a precaution until removal of PII information is complete or verification that the data is not PII. Please also check all your files for other PII information such as credit card numbers, driver's license numbers, bank account information, etc.
This message is being copied to the Point-of-Contact identified by your Chancellor or VP for protection of personal information in your unit.
ITS Web Support Group
This kind of scan can be a useful tool, though users may find it disruptive since UH has removed the read permissions from suspect files. Some users will find that their systems no longer function and won’t know what to do about it. Still, this is better than allowing exposure of personal information the scan may have detected.