The University of California at San Francisco (UCSF) has
acknowledged that a possible security breach may have exposed
46,000 people to potential identity fraud.
In a statement on the
UCSF Web site, the university said it has
warned about 46,000 people to look for signs of identity theft,
after discovering that an unauthorized party may have been able to
access the personal information of UCSF faculty, staff and students
by exploiting a security hole in a computer server. The personal
data included names, Social Security numbers, and bank account
numbers used for electronic payroll and reimbursement deposits.
The data may have been released from a server in the UC
system-wide data center, the university said, adding, "The incident
was identified in late March, and the server was immediately taken
off-line."
"There is no evidence at this time that any specific information
was accessed or acquired," Randy Lopez, co-chief information
officer for the Office of Academic and Administration Information
Systems, told The Associated Press.
 |
| Data security breach: | Will data breach be the end of TJX? Industry
experts say companies can learn from a data breach and even
prosper from it. But is TJX following the right example?
Data breach law could put financial burden on
retailers: Legislation being considered in Massachusetts
would shift the financial burden associated with a data breach
onto retailers. It would be the first of its kind in the United
States.
PCI compliance after the TJX data breach:
The massive TJX data breach reinforced the need for stricter
controls when handling credit card information. In this tip,
Joel Dubin reexamines the need for the PCI Data Security
Standard and advises how to ease the PCI compliance
burden. |
|
| |
|
The university told those that suspect fraud to contact the UCSF
police department and their personal bank and credit agencies. UCSF
has also established a hotline at 415-353-8100.
Colleges and universities have been particularly susceptible to
data breaches. At
San Diego State University, for example, a
hacker broke into the financial aid department's computer
records in December 2003 and accessed Social Security numbers
and other confidential information. More recently,
Ohio University revamped its central IT
department after data breaches there compromised personal
information belonging to 137,000 people.
Jonathan Penn, an analyst with Cambridge, Mass.-based Forrester
Research, said academic institutions are a popular target because
there are plenty of records to go after.
"There are typically tens of thousands of students and a lot of
financial information because they take out loans all the time," he
said. "That makes it an attractive target."
Penn added that university networks tend to be particularly
disorganized, with a lot of shared services and different
departments doing their own thing with IT. His advice to academia:
"Don't just have privacy as someone's third responsibility.
Establish a privacy program and have someone in charge of it."
Prat Moghe, founder of Maynard, Mass.-based Tizor Systems, said
the traditional university network perimeter tends to be weak, and
schools have to rely more on data-level or application-level access
controls that aren't as mature as they need to be.
"University security budgets are small and are an afterthought,"
he said. "They should be increased and CISO's should have clear
authority."
Meanwhile, he said, the architecture of university security
should be revamped from the inside-out, at a data level, by
understanding where the most important information is stored and
starting with security at that level first.
"For example, most critical data systems should be secured
first, whether in financial systems, alumni systems, grading
systems," he said. "Today the approach is to do incremental
security from outside in which will take a very long time to show
benefits."
News of the possible UCSF breach comes at a time when much of
the information security community is fixated on the fallout from a
data breach at
TJX Companies Inc.
The Framingham, Mass.-based retail giant said last week that at
least 45.7 million credit and debit cards were stolen in the
breach, affecting customer information dating as far back to
December 2002.
Security experts are calling it the largest data breach in
history and
TJX has become a symbol of data insecurity,
despite extensive efforts the company has taken to improve
security since the breach was discovered.
By comparison, 26.5 million veterans and active duty personnel
were affected by the theft of a
Department of Veterans Affairs (VA) laptop
and external hard drive last year. And in 2005, credit card
transaction processor
CardSystems Solutions Inc. acknowledged that
hackers had stolen 263,000 customer credit card numbers and
exposed 40 million more to fraud.