The University of Nebraska disclosed a breach last week, which I dutifully entered on DataLossDB. The breach sounded like it could be huge, despite the university’s statement that it had no evidence (at that time) that any data had been downloaded:
The NeSIS database includes Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former NU students as well as student applicants who may or may not have attended NU. The database includes information for alumni as far back as spring 1985.
The financial aid information included bank account data.
Today, as the university continues to investigate the hack, it disclosed more details. And while the thrust of the latest update, reported by Maggie O’Brien of Omaha World-Herald, is that the university is closer to identifying the hacker, what struck me was the sheer magnitude of the breach and how avoidable it all was:
The computer database holds 654,000 Social Security numbers as well as other personal information. It serves all four NU campuses — one in Lincoln, two in Omaha and one in Kearney — and includes alumni information from as far back as 1985.
At stake is not only personal information such as grades, but potentially critical information like Social Security numbers — which can be used for identity theft — and, in some cases, bank account numbers.
Mauk said that as of Sunday, officials had not been notified of any identity theft cases stemming from the breach. Even so, 21,000 people whose bank account information was on the student information system have been alerted.
What were 654,000 Social Security numbers doing being connected to the Internet? Why wasn’t the old data going back 25 years moved offline? Why weren’t the SSN converted to non-sensitive identification numbers? Is there really any justification for 21,000 bank account numbers to still be in an accessible database?
The U.S. Department of Education has never been firm enough in prohibiting the use of SSN as student identifiers. And this is what happens.
It’s time for the U.S. Department of Education and/or Congress to act. Data such as bank account numbers should not be retained/stored past its intended use or freshness date. And SSN should be replaced with unique identifiers that even if stolen, could not be used for fraud or ID theft.
Enough is enough. Attending a university shouldn’t put students and their parents at needless risk of ID theft.
What do you say about government accessibility efforts and e-Medicine? Isn’t the entire world headed in the other direction?
Too much data is available online – sometimes because entities don’t even realize that some of their devices are connected to the Internet. And yes, the entire world is (recklessly) headed in the other direction.
Consider how many records with medical info Express Scripts and WellPoint had/have connected via the Internet at the time of their respective breaches. Now imagine them all dumped on the Pirate Bay. Hell, let’s make it even worse (from my standpoint): picture all the records from 5 psychiatric hospitals whose records each go back 20 years dumped in a torrent on Pirate Bay. Then what?
It’s too tempting to hang on to too much data indefinitely and unless regulations require deletion or purging or offline storage, the number of massive breaches will likely only continue.