UNC Latest College to Unveil Data Breach
Colleges, Universities are Popular Targets
October 5th, 2009 Phillip Britt
The University of North Carolina at Chapel Hill this week began notifying the participants in a federally funded mammography study that their personal information may have been breached.
University of North Carolina at Chapel Hill Old Well; Leaking Data?
According to information the university provided to a local newspaper, the breach involved 236,000 total records, including 163,000 Social Security numbers from women who had participated in the study. Their records had been on a computer at the university’s School of Medicine. The study has been going on for 15 years.
The breach, university officials said, may have occurred two years ago. The breach was initially discovered in July, the notifications were just going out, university officials said, because it took some time for the computer forensics team to determine what records may have been compromised. State law requires notification of people who’s records were compromised in the event of such a breach, even, as in this case, if it is unknown if the compromised records were ever actually acquired by a hacker, it’s just known that they were exposed.
The breach adds to several announced by higher education institutions this year. Just a few examples:
• The University of Rochester in January reported that personal information for 450 current and former university students was stolen from a university database.
• An Abilene Christian University computer server was hacked near the end of February. An e-mail dated one week ago from the college's information technology branch states that the school experienced a security breach in a database containing myACU usernames and passwords tied to the school's internal e-mail system.
• Also in February, a cyber burglar crept into the University of Florida's computer system, jeopardizing the personal information of almost 100,000 people.
• In June, hackers broke into the computers of the Oregon University and posted a message telling President Barack Obama to stop talking about the disputed Iranian election.
• In July, the personal information of nearly 800 students who attended The University of Colorado at Colorado Springs was compromised after a faculty member's laptop was stolen.
Colleges and universities are at high risk for such breaches for several different reasons:
• They have massive amounts of identity information for students.
• They conduct large amounts of research requiring the storage of more data, some of it personal.
• Due to this treasure trove of information, they are natural targets of hackers.
• In addition to the treasure trove of information, they have some of the nation’s most powerful computers, which not only house sensitive information, but in the wrong hands, can be used in attempts to break into other systems on and off campus.
• They have some very knowledgeable students who may have physical access to the information or who may know enough about the institution’s security systems or policies to be able to break in relatively easily.
The North Carolina at Chapel Hill case should give university officials and study participants alike some pause when they are involved in research. While some identifying information is certainly necessary (e.g., weight and age could be very important factors in a medical study), only that information that is absolutely necessary should be retained (e.g., another “subject identifier” outside of a Social Security Number could have been used).