Three universities recently reported security breaches that compromised student and faculty private data. While unrelated, these incidents underscore the importance of educating employees about the security implications of accidentally misplacing data.
Nine lists containing personal information on 6,030 students were leaked online by a Missouri State University employee in November 2010, but the breach was not identified until Feb. 22, wrote Kevin Shwaller of OzarksFirst.com.
The university had created lists of students who'd studied at the College of Education at MSU between 2005 and 2009 to submit for the accreditation approval, according to the March 3 article. The lists contained names and Social Security numbers, the university said.
Although the list was supposed to be uploaded to a secure server accessible only to university personnel as part of the accreditation process, it ended up on an insecure server, exposing it to the Google spiders indexing the Web, the university said. The MSU IT team is currently working with Google to remove all leaked lists from the search engines indexes, the university said.
Organizations usually have 60 to 120 days to approach a breach. In this case, MSU acted very promptly.
Employees don't understand the risks of mishandling sensitive information, Geoff Webb, director of product marketing at Credant Technologies, told eWEEK. While training on what to do with data is important, users need to think about security all the time, and not just as a "check-box item" to address once a year, he said.
It's an education problem, said Josh Shaul, CTO of Application Security, told eWEEK. For example, if a laptop with sensitive information is lost, employees think of it in terms of a lost computer and not as a corporate data breach, he said. They don't realize there's no difference, he said.
That is similar to what happened at South Carolina's Midlands Tech, where a contractor walked off with a flash drive containing personal information on employees. Even though the drive was returned immediately and the university doesn't think anyone actually used the information, the university will still pay for credit monitoring for concerned employees, said Todd Gavin, a Midlands Tech spokesperson.
Employees need to think about security as they walk around with terabytes of storage in their pocket, Webb said.
As for the MSU incident, there were "23 hits" on pages containing the exposed student data, and "every one of these hits was from residential type areas that we could determine," said Jeff Morrissey, an MSU spokesman.
All but six students have been notified of the breach because the university was still searching for an address, phone number or e-mail address for them, Morrissey said. MSU has notified the Missouri Attorney General and has taken disciplinary action against the employee who posted the lists.