I received an email today from a University of Hawaii student who is feeling unsettled by all of the breaches that the University has had in the past year. He wanted to let me know that although mainstream media were saying that the University of Hawaii had experienced three breaches since 2009, they’ve actually experienced four. When I checked into the information he sent me, he was right. Well, if we don’t count an even smaller fifth incident, he’s right.
The three breaches previously reported in the media involved a faculty member uploading 40,000 students’ information, including SSNs. to an unencrypted faculty web server, a breach of the Manoa parking office server that contained 41,000 SSN, 200 credit card numbers, and records on 53,000 people, and a third incident from 2009 when the university discovered that a Kapiolani Community College server infected with malware was networked with another server that contained personal information of 15, 487 students and their parents, including Social Security numbers.
The fourth incident, which seems to have flown under the radar (no pun intended), occurred on February 1, 2010 at the University of Hawaii Pacific Aviation Training Center (PATC) at Honolulu Community College. In that case, a desktop computer was storing flight student’s names and credit card numbers, although such information was not to be stored. A report filed by the University to the state legislature on the incident indicates that the desktop was later accessed by another desktop system at PATC that was in a common area accessed by students, faculty and staff in a maps and planning room in a secured area. Thirty-five students were notified of the breach.
So … is four breaches since 2009 unusually bad or about normal for a university system? Or is it even better than normal? What do you think?