02:57 PM
Connect Directly

Binghamton Data Breach Threatens CISO's Position

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer.

Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room.

The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges.

Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents.

Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass.

Glass did not immediately respond to a request for comment.

A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches.

Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students.

The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She said it is important to note that the storage area where the records were discovered is not a public space and that entry can only be gained by climbing onto a maintenance catwalk.

According to Glass' report, the door leading to the storage area had its latch held open with tape.

The spokeswoman was unable to provide information about whether the reporter who discovered the unlocked storage room would be charged with a crime such as trespassing. She said that depends on the outcome of the investigation.

A call to Broome County District Attorney Gerald Mollen seeking comment was not immediately returned.

According to Glass, quantifying the extent of the potential records exposure remains difficult. "Binghamton University has a yearly enrollment of roughly fourteen thousand people," he wrote. "If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would [affect], roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people [affected] lies well in the hundred thousands."

Glass' account of the incident includes a handful of pictures documenting the accessible records.

The university spokeswoman said she had no information at this time about whether any of those records had been used for identity theft.

A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft.

And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities.

"As a direct consequence of an open environment, lack of comprehensive risk assessment oversight, outdated use of Social Security numbers as identifiers, and slow, and/or non-effective reaction to the latest security risks, unauthorized access rests atop of the list of privacy data breaches in the academic sector," the report said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio