Three universities recently reported security breaches that compromised student and faculty private data. While unrelated, these incidents underscore the importance of educating employees about the security implications of accidentally misplacing data.
Nine lists containing personal information on 6,030 students were leaked online by a Missouri State University employee in November 2010, but the breach was not identified until Feb. 22, wrote Kevin Shwaller of OzarksFirst.com.
The university had created lists of students who’d studied at the College of Education at MSU between 2005 and 2009 to submit for the accreditation approval, according to the March 3 article. The lists contained names and Social Security numbers, the university said.
Although the list was supposed to be uploaded to a secure server accessible only to university personnel as part of the accreditation process, it ended up on an insecure server, exposing it to the Google spiders indexing the Web, the university said. The MSU IT team is currently working with Google to remove all leaked lists from the search engines indexes, the university said.
Organizations usually have 60 to 120 days to approach a breach. In this case, MSU acted very promptly.
Employees don’t understand the risks of mishandling sensitive information, Geoff Webb, director of product marketing at Credant Technologies, told eWEEK. While training on what to do with data is important, users need to think about security all the time, and not just as a “check-box item” to address once a year, he said.
It’s an education problem, said Josh Shaul, CTO of Application Security, told eWEEK. For example, if a laptop with sensitive information is lost, employees think of it in terms of a lost computer and not as a corporate data breach, he said. They don’t realize there’s no difference, he said.
That is similar to what happened at South Carolina’s Midlands Tech, where a contractor walked off with a flash drive containing personal information on employees. Even though the drive was returned immediately and the university doesn’t think anyone actually used the information, the university will still pay for credit monitoring for concerned employees, said Todd Gavin, a Midlands Tech spokesperson.
Employees need to think about security as they walk around with terabytes of storage in their pocket, Webb said.
As for the MSU incident, there were “23 hits” on pages containing the exposed student data, and “every one of these hits was from residential type areas that we could determine,” said Jeff Morrissey, an MSU spokesman.
All but six students have been notified of the breach because the university was still searching for an address, phone number or e-mail address for them, Morrissey said. MSU has notified the Missouri Attorney General and has taken disciplinary action against the employee who posted the lists.
Instead of a big training session that companies might just “roll their eyes and tune out,” organizations should make information security a part of the business process, Shaul said. This can be in the form of signs and other visual cues reminding users they can’t copy data onto unsecured drives, similar to how there are signs reminding users to use a shredder for sensitive documents, Application Security's Shaul said.
Even the best trained and security-savvy employee can make mistakes. So even with education in place, policy needs to be defined so that mistakes can be caught and to keep honest people honest, Ken Ammon, chief strategy officer at Xceedium, told eWEEK.
Good processes should prevent unsafe handling of information because they catch instances when the user is lax, Webb said. For example, forcing the employee to do a final check and documenting that the documents were copied to the correct server would ensure that mistakes are caught before it becomes a breach.
A security breach at the University of South Carolina Sumter exposed the Social Security numbers and other personal identifying information on the Internet for nearly 31,000 faculty, staff, retirees and students, according to TheState.com. While the breach was discovered in January, the university waited until March 1 to notify affected users, because the university wanted to ensure all affected people had been identified, USC spokeswoman Margaret Lamb told The State.
The breached server was located on the USC Sumter campus, but all eight campuses were affected, the university said. The security breach was caused by human error, but USC declined to provide additional details.
The 2010 data breach report from Ponemon Institute found that nearly 41 percent of the breaches in 2010 were caused by “negligence.”
Technical controls need to be in place as the last line of defense against accidental breaches, Credant Technologies' Webb said. As the user makes mistakes caused by lack of knowledge and the processes are not there to correct those mistakes, then having technology in place to catch violations would prevent the breach from happening. For example, software that prevents sensitive information to be written on flash drives, even temporarily, would ensure data won’t leave the corporate environment if the device is lost, he said.
Data breaches are a growing problem. The 2010 data breach report from Ponemon Institute found that the average cost of a data breach is approximately $7.2 million. That hefty price tag includes the cost of hiring a third-party security auditor with computer forensics knowledge to investigate what happened and fix the issue, notifying all the users and the state government, setting up a call center that can handle questions from worried victims, paying for credit monitoring services, lost productivity and sales as customers leave, Shaul said. In a heavily regulated industry, compliance fines can also increase the cost of the breach, he said.