A notice was posted today on Virginia Commonwealth University’s web site:
To the VCU and VCU Health System communities:
A security incident has resulted in unauthorized access to a Virginia Commonwealth University computer server containing files with personal information on current and former VCU and VCU Health System faculty, staff, students and affiliates. We believe the likelihood is very low that any personal data on the individuals in the files was compromised, but it is impossible to be completely certain, so we are notifying all involved via email and first-class mail.
On October 24, routine monitoring of servers supporting a VCU system uncovered suspicious files on one of the devices. The server was taken offline and a forensic investigation was launched to identify what unauthorized activities had taken place and the vulnerabilities that led to the compromise. The vulnerabilities have been corrected, and it has been determined that this server contained no personal data.
Five days later, VCU’s continuing investigation revealed two unauthorized accounts had been created on a second server, which also was taken offline. Subsequent analysis showed the intruders had compromised this device through the first server. The intruders were on the server a short period of time and appeared to do nothing other than create the two accounts.
Files on this second server contained data on 176,567 individuals. Data items included either a name or eID, Social Security Number and, in some cases, date of birth, contact information, and various programmatic or departmental information.
Our investigation was unable to determine with 100 percent certainty that the intruders did not access or copy the files in question. We believe the likelihood that they did is very low. However, because this data was potentially exposed, we are proactively informing of this event and subsequent actions affected individuals can take to monitor personal information. The following website contains more detailed information about this incident, as well as how to monitor your personal information, including credit monitoring or acquiring identity protection services: http://go.vcu.edu/securityincidentresponse .
VCU continues its investigation and is working with local and federal law enforcement agencies. If you have any questions or concerns, please contact the Security Information Center we have established to handle your inquiries: (855) 886-2931 or [email protected]. Over the next two weeks, this Security Information Center helpline will be staffed from Monday to Friday 7:30 am – 8:00 pm, Saturday from 10:00 am – 6:00 pm and Sunday from 12:00 pm – 8:00 pm to answer your questions.
VCU is reviewing its information technology security measures and procedures and will make improvements to prevent this type of incident from happening again. We regret this incident, and I apologize for any inconvenience or worry this may have caused you.
Sincerely,
Mark D. Willis
Chief Information Officer
It’s a good description but I wish they wouldn’t rush to minimize risk. The fact is, as they say, that they don’t know. Under such circumstances, why not just tell people what you do know and let them form their own assessment of their risk so they can decide what to do, if anything?
h/t, CBS6 and Richmond Times-Dispatch.
Previous breaches involving VCU can be viewed on DataLossDB.org.
“…why not just tell people what you do know and let them form their own assessment of their risk…” You know, I couldn’t agree more.
On the other hand, the reality is that most people are not well-versed in “what it all means.” I read the other day a commentator (in another site) complaining about an encrypted laptop being lost: her argument was that there was a chance — based on the admission that there is a extremely tiny but remote chance, from a technical standpoint — that someone could get at the contents of a laptop. She was adamant that the computer should have been kept in a locked room, as if computers never get stolen from locked rooms.
In the VCU case above, figuring out the odds of the data being safe would require a list of what protections were in place, what forensic testing they did (in case they missed a particular attack method), logs, etc. The problem is, most people, including myself, are not in a position to analyze such results. Plus, can you imagine the size of the breach notification package (yea, give me an internet connection any day)?
You’d need an expert to do the analysis for you. But, I can already begin to imagine conspiracy theorists and others spinning a yarn on how “they” are all in cahoots…
I didn’t mean that they should list all the forensic tests and results so that recipients could make their own determination. If they simply said, “Despite our testing, we are not sure at this point whether your (data types inserted here) were accessed or not. Nor have we figured out why the intruder set up accounts. Under the circumstances, it’s impossible for us to accurately assess the risk that your data will be misused. To be cautious, you could take the following steps:…..”
I didn’t express myself well, as my comment was not only on what I had quoted but about such declarations in general; I had waxed a little philosophical as well. I’m not sure whether I can clarify things with this follow up but I’ll try.
My point/observation is that there’s no way to tell, is there, whether they’re minimizing the risk. In the above, are they minimizing the risk (a PR move that generally nobody buys) or are they letting me know that there’s *actually minimal risk*? The latter I’d welcome with open arms in any notification letter I’d be receiving.
In this case, someone carried out an investigation, someone who knows what they’re doing. If minimal risk is the outcome, then that’s the outcome. Of course this doesn’t mean “no risk.” More than anything, it probably means that:
a) whatever data logs they have don’t show any indication of certain data being downloaded, and
b) cross-referencing other logs don’t show any activity of download logs being wiped clean or altered to show fictitious data/histories.
You can see that there’s a limit to how much weight you can give to investigations involving site hacks. However, if monitoring was set up properly, there’s very little reason to doubt the outcome even with such hacker hijinks, although there’s always room for an error conclusion, no matter how small.
So, I’m welcoming the statement: it lets me know where I stand realistically. This, to me, is a better yardstick about the risks I face than a blanket “we’re not sure…” Of course, it goes without saying that low risk or high risk, one should keep an eye out. In fact, one should keep an eye out even with no risk….
And, yet, how can one be sure the investigator wasn’t pressured to come to a certain conclusion (this is where I get philosophical)? A list of tests and results could back up their claims; however, as I’ve noted, I wouldn’t be able to make sense of such information even if it were given.
I am of the opinion that, ultimately, the point of breach notification letters is so an individual can assess how much risk one is facing and take appropriate action. How can I make that assessment in this case? I cannot. I’d have to take an expert’s word for it. The same type of expert (or perhaps the same expert) that assessed VCU’s breach. This creates a dilemma. The “safe” thing to do is not to believe these reassurances. But is that the right stance to take?
As I was typing up this comment, I ran across this: http://campustechnology.com/articles/2011/11/15/virginia-commonwealth-u-uses-video-to-communicate-data-breach-details.aspx?m=2. It’s a video by the VCU IT staff explaining what happend.
After seeing this, would you say that they’re minimizing the risks, or that there is actual minimal risk? Assuming no one’s being pressured, I’d say it’s the latter.
Typing up this comment has raised a number of other questions that I’ll keep to myself ;). Thing this is already long as it is.
Wonderful comment, Sang. Thank you.
You say, ” If minimal risk is the outcome, then that’s the outcome.” The problem is that we do not know how accurate such risk assessments are – even if we know what specific analyses were conducted. So even if they believe it and even if their risk assessment shows low risk, the risk may not be low. Consider this:
1. How many times have we seen such “low risk” statements only to find out years later that data were subsequently misused?
2. Very few letters say “We think the risk is high.” Most say low, right? Yet studies by Javelin consistently report that those who receive breach notification letters are 4-5x as likely to become victims of ID theft or fraud within the next 12 months. If that’s the case, then a lot of those “low risk” breach notification letters were wrong.
I think you’re quite correct that the majority of the public cannot assess their risk and wants to rely on “professionals.” But the professionals/entities have a self-serving motive or maybe cockeyed optimism at times. Yes, those who bring in outside investigators are more likely to provide less subjective analyses, but this is still nowheres close to science.
Of course, part of the solution is to get a greater database of breaches with follow-up data so we can really analyze trends and risks. And towards that end, I continue updating and backfilling DataLossDB.org and updating this blog.
Cheers,
/Dissent
Letting people form their own assessment of risk means that you assume that people understand what risk is in the first place. Risk to a security professional is almost second nature. The true meaning of IT Risk to a common folk may know the definition, but to what depth ? Some people may not care at all,Others may go over the edge and blow this way out of proportion.
PII is delicate piece of data; its not perishible until the person attached to it becomes so. So I am sure there are many accounts that have been compromised that have not been used. That muddies the water as where the breach came from.
The thing that bothers me to no end is this. The breaches may be exposed, but there is no documentation of how these people are getting in. I mean, with the majority of breaches dedicated towards forums for example – are they all using the same flavor of forum software, same type of SQL software, same type of PHP, Web or Operating system ?
Its unfortunate that people get hacked; but if the information that leads to the breach is given out others that are using the same syle setup can understand that they too may be at risk. Hackers work together for a common goal. Merchants are typically competitors and don’t want to share data. If one merchant gets breached, the other can use it against them in order to gain more customers. Who actually wins here? – The hacking group in the long run.
I think in my opinion people in general do not understand the risks involved when it comes to the many ways their PII is at risk. Its online; skimmers; social engineering; internal threats and the list goes on and on. I don’t to even think how long it would take to educate the economy on the threats that could attack their PII.
Any sort of compensation in the way of credit monitoring, or Identity Theft monitoring would have to be for many years to be effective. Simply sending a person a piece of postal mail doesn’t cut it. Let there be a comprehensible, online website available in both simple and advanced fashions for people to go to and get training. One caveat – they have to care about what they do and potentially click on.
The way ahead for the consumer is broke. As long as big businesses are making a positive cash flow, this issue will NOT be fixed. Its hard to see ssmaller countries going to a better way in respect to biometric or RSA/PIN based credit cards while its rare to see such a thing in the USA.
People yell about the government prying into their own private data, when there is no immediate gain. They seem to scream less about the unauthorized person looking over there data until their credit or bank accounts are drawn down to near zero.
RONCO has to have a better way.