DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

New Math, data breaches version

Posted on May 30, 2012 by Dissent

As a survivor of New Math, it’s somewhat amazing that I’m willing to deal with numbers or math at all. Yet, here I am, with a simple equation as today’s New Math:

UNCC + UN = time for regulation

Simple, elegant, and somewhat nonsensical as a math equation, but two recent education sector breaches do add up to a call for regulation. I’ll start by reviewing some of the highlights – or should I say lowlights – of the two incidents.

The University of North Carolina at Charlotte (UNCC) data breach was disclosed in February, but as reported by the university’s counsel in May, they still weren’t sure they had identified or notified everyone who needed to be notified:

Data were exposed to the Internet, including financial account numbers and approximately 350,000 social security numbers. The exposure has been remedied, and the University is acting to alert people who may have been affected by this exposure. However, because of the size and nature of the incident, the University is unable to determine at this time whether any individual New Hampshire residents were affected…. […]

Due to incorrect access settings, large amounts of electronic data hosted by the University were accessible from the Internet. There were two exposure issues, one affecting general University servers over a period of approximately three months, and another affecting the University’s College of Engineering servers over a decade or more. The University has no reason to believe that any information from these servers was inappropriately accessed or that information was used for identity theft or other crime. These data involved people connected to the University, and included names, addresses, social security numbers, and/or financial account information provided in association with transactions with the University.

How can the university be sure that the data were not accessed? Does it have logs going back a decade that it has reviewed? And how can it have no reason to believe that the breach resulted in fraud or ID theft when no ID theft victim would have had any reason to connect their problems to the UNCC breach until it was disclosed and individuals notified?

And while the university blames its configuration errors, why not also blame the university for storing and retaining so much data on servers connected to the Internet?

Fast forward to the University of Nebraska breach, disclosed last week.  That breach, attributed to a hack,  may have compromised 654,000 records including SSN and over 20,000 bank account numbers. The data on the server goes back to 1985.  Why?

Note that this was not UN’s first large breach.  In November 2010, the Lincoln campus reported that some 300,000 students’ financial data had been exposed on the Internet on the state treasurer’s site. The state, responding to the university’s request to remove the refund data, had noted that the university had been given opportunities to scrub the data before they were posted publicly but that the university had not done so.

Now according to Dissent’s New Math, 350,000 + 654,000 = more than 1 million students, faculty, and parents who have had their SSN and/or bank account information exposed in just two universities’ recently disclosed breaches.  What percent of the hapless students, faculty, and parents could have been spared if the universities did not store so much data on servers connected to the Internet?

I’ll ask again: why hasn’t the U.S. Department of Education or Congress done something about this recurring problem?  And it is recurring.  Here are some other large university breaches involving student information over the past 8 years, in chronological order:

  • A hack of San Diego State University disclosed in March 2004 affected 178,000 (details)
  • A hack of a University of California San Diego database disclosed in May 2004 affected 380,000 (details)
  • A hack of the University of Hawaii disclosed in June 2005 affected 150,000 (details)
  • A hack of a University of Southern Cailfornia database disclosed in July 2005 affected 275,000 (details)
  • A hack of University of Texas databases disclosed in April 2006 affected 197,000 (details)
  • A hack of Western Illinois University disclosed in June 2006  affected 180,000 (details)
  • A hack of a UCLA database disclosed in December 2006 affected 800,000 (details)
  • A hack of Valdosta State University disclosed in February 2010 affected 170,000 (details)
  • Web exposure of University of Nebraska – Lincoln student financial data disclosed in November 2010 affected 300,000 (details)
  • A hack of an Ohio State University database disclosed in December 2010 affected 760,000 (details)
  • A hack of Virginia Commonwealth University disclosed in November 2011 affected 176,567 (details)
  • A hack of an Indiana University database disclosed in January 2012 affected 650,000 (details)
  • Two configuration error breaches at the University of North Carolina at Charlotte disclosed in February 2012 affected 350,000 (details)
  • A hack of University of Nebraska disclosed in May 2012 affected 654,000 (details)

…. and there’s much more.

Note that the number affected per breach does not appear to be systematically decreasing over the years, suggesting that universities are not getting the message or learning important lessons about preventing breaches involving SSN or financial information.

So….. can you hear me NOW?  It’s time to get serious about data retention and sensitive data connected to the Internet in the education sector.

Clip art by Phillip Martin.

Related posts:

  • ProjectWestWind: TeamGhostShell hacks and dumps 120,000 records from 100 U.S. and non-U.S. universities (updated)
Category: Commentaries and AnalysesEducation SectorOf Note

Post navigation

← Sen. Franken: Encrypt laptops with medical info
European External Action Service Hacked, Personal Information Leaked →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.