Blog

Posts Tagged ‘Social Security numbers’

Zeus Compromises Student Data at University of Oklahoma

Monday, July 12th, 2010

The University of Oklahoma has revealed that a laptop compromised by a variant of the Zeus botnet may have exposed or compromised sensitive information on OU students–including Social Security numbers. There are no further details yet available regarding the scope of the potential compromise. According to this blurb from KOCO.com, though, “OU officials said they are not aware of any instances of identity theft or similar problems as a result of the breach, but they said they can’t be certain that student information was not compromised.

One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Tufts University Alumni Data Exposed by Malware

Monday, June 14th, 2010

What is it about networks and data at universities and medical establishments? It seems like almost every breach of sensitive or personal data is related to these two types of institutions. Are they targeted more often than other types of networks, or do they just have weaker security and poorer data protection mechanisms in place?

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »