School Data Security | News

U Hawaii Data Breach Echoes 2009 Incident

• By Dian Schaffhauser
• 07/19/10

Up to 53,000 people may have been affected by a recent data breach at the University of Hawaii in Manoa. The university system discovered the break-in during a routine audit June 15, 2010. The breach had taken place May 30, 2010 on a server used by the main campus' parking office. The university isolated the affected server and began an investigation, which included notifying the Honolulu Police Department and the FBI. IT has also retained a forensic computer expert to do further investigation.

U Hawaii said the server contained a database with personal information--including nearly 41,000 Social Security numbers and data on 200 credit cards. The database had records for faculty, staff, and students at the institution during 1998. Also included was anyone who had business--such as purchasing parking permits or having a car towed--with the parking office between Jan. 1, 1998 and June 30, 2009.

The university said that it had no evidence that the personal information maintained on the server was accessed or used. But it encouraged those who have been potentially affected to monitor their financial information and take measures against identity theft. The university has set up a helpline and e-mail account to answer questions.

On a Web page about the incident, the university said that Social Security numbers were no longer used for parking transactions and were being purged from current and historic parking office databases.

Fifteen months earlier the university took steps to notify students about a malware-induced data breach at Kapi'olani Community College. That incident involved 15,487 students--and potentially their parents--who had applied for or were granted financial aid during the previous five years. While the infected computer didn't store sensitive information, it was on a local network that provided access to data for financial aid processing.

After that incident, IT blamed a series of human missteps for the breach. The computer that ultimately caused the attack was "very infected," said Jodi Ito, information security officer, in a presentation about top security challenges in the U Hawaii System. The computer had been used to connect to another server that "stored years of sensitive information"; the user connected to the server every morning and stayed connected "as a matter of daily routine"; the user opened all e-mails and attachments "without regard to relevance"; and the user visited social networking sites. User training was one of Ito's recommendations for reducing the chances of a similar breach from occurring.