CORPORATE COMPLIANCE
  

BUSINESS AFFAIRS : CORPORATE COMPLIANCE : COMPLIANCE CORNER : COMPLIANCE UPDATES : COMPLIANCE CORNER 
COMPLIANCE CORNER
4/13/05

Computer Security Events Involving Privacy Violations

Almost daily now we hear a new report of sensitive personal information being released through computer security incidents at universities and other organizations.  In addition to causing significant worry for the individuals whose privacy is violated, these incidents result in loss of credibility for the organization and are very costly to investigate and remedy. 

UTB/TSC is NOT immune to these risks.  However, the good news is that with proper care on the part of all employees, most incidents of these types are preventable!      

As a reminder of the growing trend of data being improperly exposed and the importance of maintaining vigilance in securing the information for which we are each responsible, following is a list of some recent computer security incidents.  As you read through these incidents, please consider the sensitive data that you may use in performing your duties and note the suggestions for reducing risks of improper information exposure.  

Remember - Information security is the responsibility of each UTB/TSC employee.  If you have questions about computer security in general or need information on how best to address a specific security concern, please contact Chris Cohen of Information Systems at (956) 882-3881 or Ubaldo Martinez of Information Resources at (956) 882-7460.

COMPUTER SECURITY INCIDENTS INVOLVING PRIVACY VIOLATIONS
(Note: This list is by no means all inclusive. There have been many smaller incidents, and it is suspected many incidents go unreported.)

Institution
and Date

Incident

How to Prevent Similar Incidents

UC – Berkeley
March 2005

Laptop Computer Stolen
Social Security Numbers and other personal information revealed. The University is having to contact over 98,000 individuals. An administrator in the school's graduate division had loaded the personal data of 98,369 individuals onto her laptop to conduct a research project tracking where students had gone after Berkeley.
             

·         Avoid saving sensitive information on laptop computers and other mobile devices such as PDA’s and cell phones, and USB storage devices (also called pen drives, thumb drives etc.)  These devices are easily lost.

·         Lock offices and secure laptop computers with cable locks.
  

Univ. of Nevada
March 2005

Computer hack
Computer contained information maintained in the SEVIS system for approximately 5,000 foreign students.  (Method of infiltration not revealed.)
             

·         The IT organization must ensure all protective measures are maintained on servers containing sensitive data.

Cal State University Chico
 March  2005

Computer hack
Computer contained social security numbers and other personal information on 59,000 people. The investigation revealed that hackers installed software to store files on the system and tried to break into other computers.  (Source of break-in not revealed. Possibilities include compromised password, lack of anti-virus and other protective devices.)
              

·         Do not share your password with anyone.

·         Use strong passwords.

·         Always run anti-virus software.

·         Sensitive data must reside only on computers that are housed in a high security environment.

Boston College
March 2005

Computer hack
Server contained information on 120,000 alumni. Intruders installed software on the system for storing music, movie and game files. They also attempted to break into other university computers. Method of hack not revealed.
             

·          Firewall, anti-virus, anti-spyware, and other protective measures must be maintained by the IT organization for all servers.

Bank of America
February 2005

Lost Computer Tapes
Tapes contained credit card account information on 1,200,000 customers.  Tapes were lost in transit to backup site. 
           

·          If data must be transported, use encryption if possible to avoid exposure in case of loss.

·          Use encrypted electronic transport when possible.
  

ChoicePoint
February 2005

Scam
ChoicePoint, a data gathering company, revealed personal financial information of 145,000 people to criminals presenting themselves as legitimate businesses.
           

·          When providing information to other organizations verify the identity of the organization and/or the individual claiming to represent the organization through a 3rd party.  This is particularly important since System Administration must conduct business with unknown people from the UT System institutions.
  

George Mason University
January 2005

Computer hack
The University had to inform 32, 000 students, faculty and staff that their personal data had been exposed.  Hackers also installed software on the server to store files and attack other computers.
              

·          All servers must be monitored for proper use and must be protected with proper protective technologies.

University of Colorado- Boulder
October 2004

Computer hack
College of Continuing Education server breached revealing social security numbers for approximately 1,000 people.  Source of breach not revealed.  Computer was being used for illegal file storage.
           

·          All servers must be monitored for proper use and must be protected with proper protective technologies.

UC – Berkeley
August 2004

 

Computer hack
Personal records of 1,400,000 people were exposed on a researcher’s computer.  The researcher had previously refused to implement security recommendations of the University’s Security Officer.
              

·          All computers and users must adhere to established security policies.

UCLA
June 2004

Stolen Laptops
Two separate incidents of stolen laptops resulted in exposure of personal information concerning 145,000 blood donors, and 62,000 health patients.  One of the laptops was stolen from a van.
           

·          Avoid storing sensitive data on laptops – use server storage instead and simply access it from the laptop.

·          Lock offices and secure laptops with cable locks.

·          If sensitive data absolutely must be stored on a laptop for operational reasons, it should be stored in encrypted format – and a backup copy must reside on a secured server.
   

UC – San Diego
April 2004

Computer hack
Four servers containing social security numbers for 380,000 people were broken into.  An earlier December 2003 breach had revealed information on another 178,000 people associated with the University.
               

·          All servers must be monitored for proper use and must be protected with proper protective technologies.

Univ. of Kansas
April 2004

Computer hack
In addition to social security numbers, ten years of prescription records for University students, faculty and staff were stored on the compromised computers.
              

·          Computers must be secured based on the type of and risk associated with the data stored on the computer.  Computers containing health information must be highly secured.

University of Texas
March 2003

Application misuse
Social Security Numbers for some 55,000 individuals were obtained from the UT Austin mainframe.  The application design did not prevent “guessing of social security numbers.”
           

·          Security must be an integral component of the design of all computer applications.  Systems that rely on SSN for access should be modified to avoid this practice.
   

Thank you for your compliance interest.

Doug Arney
Compliance Manager


Return to Corporate Compliance Home Page

* Information provided by UT System