DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

University of Nebraska breach needs to reverberate in Washington, D.C.

Posted on May 28, 2012 by Dissent

The University of Nebraska disclosed a breach last week, which I dutifully entered on DataLossDB. The breach sounded like it could be huge, despite the university’s statement that it had no evidence (at that time) that any data had been downloaded:

The NeSIS database includes Social Security numbers, addresses, grades, transcripts, housing and financial aid information for current and former NU students as well as student applicants who may or may not have attended NU. The database includes information for alumni as far back as spring 1985.

The financial aid information included bank account data.

Today, as the university continues to investigate the hack, it disclosed more details. And while the thrust of the latest update, reported by Maggie O’Brien of Omaha World-Herald, is that the university is closer to identifying the hacker, what struck me was the sheer magnitude of the breach and how avoidable it all was:

The computer database holds 654,000 Social Security numbers as well as other personal information. It serves all four NU campuses — one in Lincoln, two in Omaha and one in Kearney — and includes alumni information from as far back as 1985.

At stake is not only personal information such as grades, but potentially critical information like Social Security numbers — which can be used for identity theft — and, in some cases, bank account numbers.

Mauk said that as of Sunday, officials had not been notified of any identity theft cases stemming from the breach. Even so, 21,000 people whose bank account information was on the student information system have been alerted.

What were 654,000 Social Security numbers doing being connected to the Internet? Why wasn’t the old data going back 25 years moved offline? Why weren’t the SSN converted to non-sensitive identification numbers? Is there really any justification for 21,000 bank account numbers to still be in an accessible database?

The U.S. Department of Education has never been firm enough in prohibiting the use of SSN as student identifiers. And this is what happens.

It’s time for the U.S. Department of Education and/or Congress to act. Data such as bank account numbers should not be retained/stored past its intended use or freshness date. And SSN should be replaced with unique identifiers that even if stolen, could not be used for fraud or ID theft.

Enough is enough.  Attending a university shouldn’t put students and their parents at needless risk of ID theft.

Category: Breach IncidentsCommentaries and AnalysesEducation SectorHackOf NoteU.S.

Post navigation

← BZPower.com Bionicle Hacked Again, 900+ Accounts Leaked
Ca: Durham Region Health class action lawsuit puts price on personal information →

2 thoughts on “University of Nebraska breach needs to reverberate in Washington, D.C.”

  1. gary says:
    May 30, 2012 at 3:41 pm

    What do you say about government accessibility efforts and e-Medicine? Isn’t the entire world headed in the other direction?

    1. admin says:
      May 30, 2012 at 4:22 pm

      Too much data is available online – sometimes because entities don’t even realize that some of their devices are connected to the Internet. And yes, the entire world is (recklessly) headed in the other direction.

      Consider how many records with medical info Express Scripts and WellPoint had/have connected via the Internet at the time of their respective breaches. Now imagine them all dumped on the Pirate Bay. Hell, let’s make it even worse (from my standpoint): picture all the records from 5 psychiatric hospitals whose records each go back 20 years dumped in a torrent on Pirate Bay. Then what?

      It’s too tempting to hang on to too much data indefinitely and unless regulations require deletion or purging or offline storage, the number of massive breaches will likely only continue.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.