University Neglected Security Guidelines

The university violated its own recommendations when it failed to encrypt a hard drive that was stolen from an office earlier this month in one of the dozens of incidents in the past year involving compromised data at a U.S. university.

The university should encrypt, or make unreadable to unauthorized parties, all confidential information, including Social Security numbers, and not leave it on a device “open to attack,” according to University Information Security’s Web site.

The university’s Information Security Policy “strongly” recommends encryption for information stored electronically, especially for data classified as confidential.

David Lambert, vice president and chief information officer for University Information Services, said in an interview Monday that the hard drive was not encrypted and that he was unsure if it was password-protected.

“If the information was encrypted, we would not be going through this process,” he said at a main campus information session for the incident Wednesday in the Intercultural Center Auditorium.

“Establishing information security is a process, but because it is a process, some things are left undone.”

On Jan. 3, Lynne Hirschfeld, senior business manager for student affairs, reported to police officials that a hard drive containing the personally identifiable information of approximately 38,000 students, alumni, faculty and staff was missing from her office, which had been kept locked over winter break. The university sent a letter to the individuals whose information, which was kept on files related to student services like health insurance, may have been compromised on Tuesday. Lambert said that the university waited over three weeks before releasing the information because University Information Security needed to determine the extent of information on the drive.

“Honestly, I don’t know [why the drive was not encrypted],” Vice President for Student Affairs Todd Olson said.

The files on the hard drive, which included information for all undergraduate students enrolled from 1998 through the middle of 2006, consisted of approximately 7,700 current students at the university and about 25,000 alumni.

Some students at the session questioned why information is not backed up centrally at University Information Services, which Lambert said was possible.

Lambert said at the session that the university would be working toward more information encryption and password-protection. He also said earlier this week that the university has been moving away from using Social Security numbers in its data storage and has been using GOCard numbers and NetIDs as unique identifiers since 1999.

The university has said that it has not received any reports of identity theft related to the incident. In a broadcast e-mail sent on Tuesday, it said that Georgetown would be providing free credit monitoring services for impacted individuals.

According to the Federal Trade Commission’s Web site, there are several ways thieves can exploit another individual’s Social Security number and other personal data. These include opening a new bank account, collecting government benefits, committing credit card fraud or getting a job.

Georgetown is not the only university that has had a security breach in recent months, which has compromised personal information.

“Unfortunately, data security incidents have been widespread at colleges and universities [in the] past two to three years,” said Rodney Petersen, security task force coordinator for Educause, a non-profit organization that promotes smart practices in information technology in higher education institutions. “The breaches include everything from hackers to lost or stolen devices.”

In the past month, security breaches exposing student and faculty Social Security numbers have occurred at Penn State University, Tennessee Tech University and the Universities of Wisconsin-Madison, Iowa, Akron, Georgia and New Mexico State, according to the Privacy Rights Clearinghouse Web site. In addition, confidential information was exposed at Baylor University and California State University-Stanislaus last month, but these incidents did not involve Social Security numbers. In 2007, the site reported a total of 81 cases of security breaches at academic institutions nationwide.

Petersen attributed this to the open and decentralized nature of the university environment where information is shared and keeping track of it is difficult.

“In a university environment, we tend to decentralize and distribute authority and responsibility,” Petersen said. “Student information is used in multiple department offices, accessed on numerous machines and occasionally downloaded and backed up.”

To better protect sensitive information, Petersen recommended that universities follow a seven-step blueprint for the safe handling of confidential data. The best plan, he said, is to “establish a security-aware culture,” particularly by training staff, monitoring compliance and enforcing accountability.

“Most breaches are not the result of technical mistakes but of human error,” Petersen said. “The only way to prevent that is through user education and executive awareness.”

The blueprint, according to the Educause Web site, also suggests that universities classify data from sensitive to public and secure that data which is public. Petersen emphasized, however, that although there are a growing number of encryption tools, they are difficult to implement systematically across a university.

Lambert said during the session that because Georgetown created GOCard numbers and NetIDs, it has already taken some steps to reduce the need for personal data.

“Up until then the [Social Security number] was the ID number. Prior to when we created the ID, if we needed records, the only way we could get them was through the [Social Security number],” he said.

In early June, the University of Virginia also suffered a significant breach in data security. According to UVA spokesperson Jeff Hanna, on May 22 the Information Technology and Communication office discovered that a hacker had broken into a database containing the Social Security numbers, names and birthdays of 5,700 current and former faculty and staff. ITC made the discovery while updating their systems to avoid using Social Security numbers. A week later, ITC discovered evidence of further breaches in the system logs.

ITC removed the database and, on June 8, notified the affected parties through e-mail and hard-copy letters. ITC provided a free year of credit monitoring, recommended fraud alerts, set up a toll-free hotline and set up a Web site with information and recommendations.

“UVA is continually modifying its systems and training employees on data protection measures,” Hanna said. He added that there has not yet been any evidence that the exposed data has been used maliciously.

Petersen said that notification times often vary after a breach at a university.

“It takes time to determine source of breach,” explained Petersen. “Law enforcers also want to delay notification so they can take forensic evidence before tipping off the perpetrator. It’s not uncommon for [the] notification period to take as long as several days to several weeks.”

Petersen added that there have been few cases of identity theft immediately following a breach.

“Although it could take time for data to be used,” Petersen said, “it doesn’t seem a breach is a tie to cases of identity theft. Particularly when devices are lost, the perpetrators are after the hardware.”

He added though that a security breach is usually a strong eye-opener to a university administration.

“Administrators realize there is a substantial reputational risk and legal liability to information security,” Petersen said. “They realize they need to address that liability.”

— HOYA Staff Writer Victoria Fosdal contributed to this report.