In a news report headlined, “Data breaches earn UH an ‘F’,” Gordon Y.K. Pang reports:
A national organization has given the University of Hawaii a grade of “F” for online security breaches that exposed Social Security numbers and other sensitive information in nearly 260,000 records.
The Liberty Coalition, a nonprofit civil liberties watchdog group, yesterday said more than half of the estimated 479,000 Hawaii records breached since 2005 were those mishandled by UH.
Read more in the Star Advertiser. Apparently, the organization was asked by a state legislator to compile a list of breaches by state agencies and the University of Hawaii. Read the Report, Part 1 (pdf).
My comments: I am always interested to see analyses of breaches and trends, and I understand that the state legislature is concerned about what is going on in their state, but some context might help their report. Is U. Hawaii the only state university to have an “uptick” in breaches this year? How does their rate of breaches compare with other state universities across the country? For example, the report states:
The University of Hawaii system (UH) deserves special treatment in this report for the sheer volume of breaches it has sustained. Since 2005, UH has incurred five documented breaches, involving more than a quarter million UH records.
Five breaches in five years probably doesn’t sound horrific to those who remember that Ohio State University recently admitted to having about 10 breaches per year and who know that other major universities have had numerous breaches. As just two examples: ESI‘s records indicate that the U. of Florida has had 10 documented breaches in the past five years involving approximately 450,000 records while U. of Texas has reported over a dozen incidents since 2006 involving over 350,000 records. Viewed in that light, the number of UH breaches and number of records doesn’t sound that dramatic. That said, if we were to compare UH’s breach frequency to state universities in states that have comparable population size (e.g., New Hampshire, Rhode Island, Maine), they do appear to have had more breaches. Unfortunately, the report provides no comparison and the “sheer volume” characterization seems intended to horrify rather than to educate.
Note that I am not trying to minimize the significance of the UH breaches, as I take every breach seriously, but when presenting information to legislators, providing some context seems important.
I also noted that the “exhaustive summary of data breaches affecting Hawaii residents, from all known sources, by all types of organizations” seems to be missing a number of breaches that did not involve UH:
- In March 2007, 39 boxes of records from the by then defunct Fidelity Escrow Services Corp. in Honolulu were dumped in a recycling bin in Niu Valley, spilling files containing Social Security numbers, loan applications, credit reports and other private financial information. Stephen Marn agreed to pay the state a fine of $10,000 for improperly disposing of the records that contained approximately 1,000 customers‘ Social Security numbers and other financial information.
- In 2007, an unspecified number of Washington Mutual Banks customers in Oahu were the victim of ID theft/ATM fraud by an unknown individual. It was not revealed how he obtained all of their account numbers.
- The Colt Express Outsourcing Services breach in 2008 affected more than 2,000 Punahou School employees and retirees.
- In 2008, an unnamed doctor in Hawaii leaked 1,767 files onto the Gnutella file sharing network. These files contained several hundred medical records along with personal identifiers. It’s not clear that any patients were ever notified of the compromise nor whether HHS was notified under HIPAA.
- An unspecified number of customers of Hawaii Pacific Federal Credit Union were affected by the Heartland Payment Processor breach that was revealed in 2009. I had discovered the notice on their web site and sent it on to BankInfoSecurity.com who were compiling a list of financial institutions affected.
- In March 2010, the state temporarily removed two procurement-related web sites following a security breach that exposed the user names and passwords of hundreds of state and county employees. Given how many people reuse login info, the compromise of login info could have put them at risk for other problems.
- In April 2010, 242 Federal Fire Department workers in Honolulu were advised to look for unusual activity on their bank accounts after allegations that an employee wrongfully accessed their personal information. I never saw any follow-up on that one.
The above list does not include media reports of ID theft from non-organizational sources but that also affected Hawaii residents such as the indictment of former beauty queen Susan Shaw for ID theft involving Hawaii residents or the case of Cpl. Daniel Alfieri who was sentenced to prison for stealing the identities of fellow Kaneohe Marines. Indeed, the reports that Liberty Coalition omitted probably account for much more ID theft or fraud than the breaches they did include.
As suggested by the above, while the report asserts that it focuses on organizational breaches and has done an “exhaustive” summary, it under-reports non-UH organizational or agency breaches and has probably not included what appear to be common sources of card fraud or ID theft affecting residents of Hawaii. While adding in the additional breaches does not diminish the number of records involved in UH breaches nor alter any claim that UH may be the single biggest source of breaches, it would refute the report’s claims that “The University of Hawaii System Accounts for More than Half of Hawaii Breaches” and that UH breaches account “for more than 50% of all reported breaches in the state since 2005.” Those assertions are just flat-out incorrect, and I hope they issue a public correction to their report.
Should UH harden its security? Yes. All entities in custody of personally identifiable information should always be working to harden their security and data protection and many of us would agree that even one breach is one too many — even though we know that breaches are somewhat inevitable.
Should the legislature consider whether it has adequately incentivized organizations, including UH, to better protect data? Definitely.
Should disclosure notices contain more details? Yes, and that problem is not unique to Hawaii. Databreaches.net has consistently urged Congress to pass a federal statute that would specify the required elements of a disclosure notices.
Is UH as bad as the report might suggest? Probably not, but that doesn’t mean that there’s not significant room for improvement. Unfortunately, the failure to adequately research non-UH breaches and the downgrading of UH for not participating in a press conference with Liberty Coalition suggest that the whole report is tainted by bias or political agenda. And that’s a shame, because the report does raise some valid points.