02:57 PM
Connect Directly

Binghamton Data Breach Threatens CISO's Position

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer.

Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room.

The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges.

Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents.

Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass.

Glass did not immediately respond to a request for comment.

A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches.

Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students.

The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She said it is important to note that the storage area where the records were discovered is not a public space and that entry can only be gained by climbing onto a maintenance catwalk.

According to Glass' report, the door leading to the storage area had its latch held open with tape.

The spokeswoman was unable to provide information about whether the reporter who discovered the unlocked storage room would be charged with a crime such as trespassing. She said that depends on the outcome of the investigation.

A call to Broome County District Attorney Gerald Mollen seeking comment was not immediately returned.

According to Glass, quantifying the extent of the potential records exposure remains difficult. "Binghamton University has a yearly enrollment of roughly fourteen thousand people," he wrote. "If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would [affect], roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people [affected] lies well in the hundred thousands."

Glass' account of the incident includes a handful of pictures documenting the accessible records.

The university spokeswoman said she had no information at this time about whether any of those records had been used for identity theft.

A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft.

And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities.

"As a direct consequence of an open environment, lack of comprehensive risk assessment oversight, outdated use of Social Security numbers as identifiers, and slow, and/or non-effective reaction to the latest security risks, unauthorized access rests atop of the list of privacy data breaches in the academic sector," the report said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.