A Likelihood of SecureApril 10, 2012
A security breach at the University of Tampa exposed the personal records of almost 7,000 students. A class doing a random Google search was able to gather the social security number, date of birth, and student ID information of students and staff. It was an apparent “server management error.” A spokesman for the campus IT department said that while the risk to students was minimal, such breaches in security were common. She equated it to changing the locks on your home, and said that nothing is ever completely secure.
Common to who, and what qualifies as minimal risk?
Anyone with access to this information could purchase a cellular plan, get a credit card, or even file for tax returns or purchase a home. While the students who discovered the breach saw only strings of numbers, anyone maliciously trying to hack into a system would easily be able to glean the information that they wanted or needed.
It is estimated that almost 50 institutions suffered a significant security breach in 2011. Notable among them was Virginia Commonwealth University, who saw over 176,000 records compromised in November of last year. Their lapse in server security exposed the personal information of thousands of students who had attended classes over a period of several years. They said that while the likelihood of infiltrators actually gaining information was very low, they couldn’t say for certain that it didn’t happen. The average cost of “fixing” a hack of this sort is $112 per record, and in the case of VCU, nearly $20 million was spent in updates, patches, and fixes. That’s a great deal of mopping up.
The tide of hacks, loopholes, and breaks hasn’t subsided. In the first two months of 2012, 300,000 records were left in the open at Arizona State University, and the Sun Devils are being tailed by anxious students from the University of North Carolina-Charlotte, Central Connecticut State University, and City College of San Francisco. And here you thought that San Francisco was the Petri dish for Silicon Valley tech-types. It may be a short ride from some of the biggest and brightest in information security, but apparently a long haul from the campus side of things.
There are obvious monetary costs to these lapses in “server judgment”. Institutions need to pay IT departments to code, debug, and patch the holes that allowed the breach. Servers are re-wired, re-firewalled, or re-placed. The offending campus may also incur notification and legal expenses in addition to the software and hardware costs. In the case of the University of Hawaii, a class action suit forced the institution to purchase “credit monitoring plans” for almost 100,000 current and former students and staff. These plans can run as high as $15 per month. So, $1.5 million over the course of two years that won’t be going into education.
Many institutions feel better about hosting sensitive information on a dedicated server, often on-campus. In a classic case of stuffing your money in your mattress and then letting the house burn down; closer does not always mean better. In the cases of VCU, ASU, and Hawaii, the servers and networks that were compromised were on-site.
The IT personnel at the institution may do a fantastic job of de-bugging software updates and replacing a cranky card reader, but are they up to date and proficient in database security? Might your information be safer in the hands of someone who does nothing but build, secure, and maintain databases? Like a hosted cloud-server?
Or will you be content to let the guy at the Lube-N-Go change your brakes? He can’t guarantee that they’ll work, but there’s a likelihood that you’ll be safe the first time that you hit a traffic light.