Attacks/Breaches
3/17/2009
02:57 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Binghamton Data Breach Threatens CISO's Position

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer.

Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room.

The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges.

Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents.

Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass.

Glass did not immediately respond to a request for comment.

A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches.

Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students.

The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She said it is important to note that the storage area where the records were discovered is not a public space and that entry can only be gained by climbing onto a maintenance catwalk.

According to Glass' report, the door leading to the storage area had its latch held open with tape.

The spokeswoman was unable to provide information about whether the reporter who discovered the unlocked storage room would be charged with a crime such as trespassing. She said that depends on the outcome of the investigation.

A call to Broome County District Attorney Gerald Mollen seeking comment was not immediately returned.

According to Glass, quantifying the extent of the potential records exposure remains difficult. "Binghamton University has a yearly enrollment of roughly fourteen thousand people," he wrote. "If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would [affect], roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people [affected] lies well in the hundred thousands."

Glass' account of the incident includes a handful of pictures documenting the accessible records.

The university spokeswoman said she had no information at this time about whether any of those records had been used for identity theft.

A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft.

And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities.

"As a direct consequence of an open environment, lack of comprehensive risk assessment oversight, outdated use of Social Security numbers as identifiers, and slow, and/or non-effective reaction to the latest security risks, unauthorized access rests atop of the list of privacy data breaches in the academic sector," the report said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.