02:57 PM
Connect Directly

Binghamton Data Breach Threatens CISO's Position

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer.

Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room.

The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges.

Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents.

Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass.

Glass did not immediately respond to a request for comment.

A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches.

Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students.

The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She said it is important to note that the storage area where the records were discovered is not a public space and that entry can only be gained by climbing onto a maintenance catwalk.

According to Glass' report, the door leading to the storage area had its latch held open with tape.

The spokeswoman was unable to provide information about whether the reporter who discovered the unlocked storage room would be charged with a crime such as trespassing. She said that depends on the outcome of the investigation.

A call to Broome County District Attorney Gerald Mollen seeking comment was not immediately returned.

According to Glass, quantifying the extent of the potential records exposure remains difficult. "Binghamton University has a yearly enrollment of roughly fourteen thousand people," he wrote. "If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would [affect], roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people [affected] lies well in the hundred thousands."

Glass' account of the incident includes a handful of pictures documenting the accessible records.

The university spokeswoman said she had no information at this time about whether any of those records had been used for identity theft.

A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft.

And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities.

"As a direct consequence of an open environment, lack of comprehensive risk assessment oversight, outdated use of Social Security numbers as identifiers, and slow, and/or non-effective reaction to the latest security risks, unauthorized access rests atop of the list of privacy data breaches in the academic sector," the report said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.