Universities Struggle with Wave of Data Breaches

• By Dian Schaffhauser
• 07/21/10

Universities in Florida, California, and Maine are all grappling with the outfall from data breaches that have exposed personal information to potential misuse.

In late June 2010, Florida International University in Miami began notifying about 19,000 students and 88 faculty members that a database with their GPAs, test scores, and Social Security numbers was found to be unsecured. That database was used in connection with the College of Education's eFolio software, an electronic portfolio program that maintains evidence of students' mastery of State of Florida and national teacher education standards through the tracking of grades, test scores, completed assignments, and other data elements. Access to the eFolio Web site requires the user to enter a username and password. However, according to instructions on the university's Web site, when users don't know their username, they're directed to go to another site and enter their Social Security number to obtain the e-mail username.

The university said there was no evidence that anybody had actually retrieved or used the personal information. The notification was required by law to enable potential victims to take steps to prevent misuse of the information.

On June 29, the University of Maine said it was investigating a computer security breach involving two servers containing personal data on about 4,585 students. The files dated back to 2002. The servers held information from the university's counseling center. The compromised database included names, Social Security numbers, and clinical information on students who had used the center's services. The investigation began when the center's staff reported problems in accessing the files on a server.

That server had been compromised, security experts found, as early as March 4, 2010. Once the hacker had gained access there, he or she infiltrated a second server.

"The high-level safeguards we have in place routinely thwart these attempts, but they were not adequate in this case," vice president for Student Affairs and Dean of Students Robert Dana said at a news conference. "This is a serious breach, and we are profoundly sorry that this has happened."

U Maine signed on with service firm Debix to monitor the records of potentially affected individuals and watch for indications of identity theft and other fraudulent activity related to their credit. That service will last for a year and will cost those affected nothing. The university also said it would send a customized letter to each person in the database in July, to provide instructions for how to access Debix's services.

"This is an insidious affront to the rightful privacy expectations of our students," added Dana. "The criminals who make it their business to exploit our society's need and ability to store information are beneath contempt and we are engaging all possible resources to find the source of these attacks."

Shortly after that, in early July, California State University, San Bernardino investigated a much smaller data breach potentially affecting 36 students. In this case, information from a class roster containing names and Social Security numbers was made public on a Web server inadvertently, the university said in a public statement. The investigation "thus far" had come across no evidence that anybody had actually found and used the information.

"The university takes its responsibility for the protection of personal information very seriously and is implementing measures to prevent this type of incidents from happening in the future," said Javier Torner, information security officer.