U Hawaii Data Breach Hits 40,000 Students

• By Dian Schaffhauser
• 11/10/10

The University of Hawaii system has just suffered its third major data breach in two years. The latest one exposed Social Security numbers and numerous other personal details on 40,101 students who attended U Hawaii Manoa between 1990 and 1998 and in 2001. Although the university stated that it has no evidence that anyone's personal information was accessed for malicious intent, its efforts to communicate with people who potentially could be affected is hampered by the age of the data.

"There are going to be a lot of people who simply never ever get notified by this breach," said Aaron Titus, privacy director for the Liberty Coalition. The coalition works with other organizations to develop public policy related to civil liberties and individual privacy. It runs National ID Watch, a Web site that allows people to find out whether their information has turned up in security leak.

This latest breach follows on the heels of a May 2010 U Hawaii security event involving 53,000 students and a 2009 breach affecting 15,487 parents and students.

Titus discovered the breach in October 2010 by doing a fairly simple Google search. He notified the university Oct. 18 about the security violation and shared his findings with IT personnel. Within hours, he said, the university took the server containing the data offline, started an internal investigation, and notified law enforcement agencies, including the FBI. The event was publicly announced Oct. 27 after Google's search caches had been cleared of the personal information.

According to Titus, the problem began when a retired faculty member decided to update a study he had first researched 15 years ago. That faculty member had worked for the Institutional Research Office doing a longitudinal study examining student retention issues. Two or three years ago, the professor decided to update his study, and he transferred large amounts of data to a home computer for ease of use. He also transferred statistical files to a university server Nov. 30, 2009 for easier access. That site was unencrypted. Because the former faculty member had to use a user name and password to get onto the server's contents, he assumed the files were protected.

"In fact, the files were not private," said Titus. "The server on which the information was posted is used by about a dozen professors to publish syllabi, class assignments, and other public information."

Sometime in the last few months, a Google spider indexed the server and made the statistics files available through Google search. In early October Titus found the files and reported the exposure.

"Although severe, we don't believe the breach was malicious," Titus said. "The professor is devastated. And although he bears some blame for the breach, the university has a pattern of breaches. Until this breach, the university had no policy of scanning for personal information. Further, it's unclear how many other faculty members have transferred personal student information to their home computers."

The data that were publicly available included names, Social Security numbers, dates of birth, addresses, demographics, and detailed academic performance data.

In a statement, the university acknowledged that the aggregation of the latest exposed files could "allow matching to create the potential for identity theft, which is highly unlikely to occur."

But that response doesn't satisfy David Lee Rogers, a university alumnus whose information was exposed in both the latest breach and the one that took place in May 2010. Rogers, a teacher, is currently unemployed. He lived in Hawaii for 21 years but now is in South Carolina. "I'm furious that this happened," he said. "Even though the FBI says there's no crime that's been committed by any person who downloaded this information, they don't know if a crime has been committed upon us as alumnus."

"It just disgusts me," he added. "I can't afford to do monthly credit checks on myself because I have no money."

The university is encouraging affected individuals to order free credit reports, review bank and credit card statements regularly for suspicious activities, and contact their financial institutions if they notice irregularities.

But that puts the burden only on affected individuals, Titus said. He'd prefer to see courts holding institutions directly responsible for the breaches and possibly imposing fines. "I've seen breaches like this happen before. The fallout goes something like this: Breach announcement. PR damage control. Stern memos written. IT staff works overtime for a couple of days or weeks. And then it's pretty much back to normal."