informa
/
Attacks/Breaches
News

Binghamton Data Breach Threatens CISO's Position

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer.
Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room.

The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges.

Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents.

Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass.

Glass did not immediately respond to a request for comment.

A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches.

Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students.

The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She said it is important to note that the storage area where the records were discovered is not a public space and that entry can only be gained by climbing onto a maintenance catwalk.

According to Glass' report, the door leading to the storage area had its latch held open with tape.

The spokeswoman was unable to provide information about whether the reporter who discovered the unlocked storage room would be charged with a crime such as trespassing. She said that depends on the outcome of the investigation.

A call to Broome County District Attorney Gerald Mollen seeking comment was not immediately returned.

According to Glass, quantifying the extent of the potential records exposure remains difficult. "Binghamton University has a yearly enrollment of roughly fourteen thousand people," he wrote. "If the information inside the room pertained only to the current students enrolled and their parents that would mean the story would [affect], roughly, forty-two thousand people. However, because the information goes back at least ten years, if not more, the potential number of people [affected] lies well in the hundred thousands."

Glass' account of the incident includes a handful of pictures documenting the accessible records.

The university spokeswoman said she had no information at this time about whether any of those records had been used for identity theft.

A recent report, "Breaches in the Academia Sector," by John Correlli of JMC Privacy Consulting Group, noted that from 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Eighty-nine of those incidents followed from unauthorized access, 45 came from accidental online exposure, and 37 were the result of a laptop theft.

And of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities.

"As a direct consequence of an open environment, lack of comprehensive risk assessment oversight, outdated use of Social Security numbers as identifiers, and slow, and/or non-effective reaction to the latest security risks, unauthorized access rests atop of the list of privacy data breaches in the academic sector," the report said.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5