Technorati Tag: Security Breach
Date Reported:
2/7/08
Organization:
Iowa State University
Contractor/Consultant/Branch:
None
Victims:
Former students who attended course "ME 325" during the spring of 2001
Number Affected:
26
Types of Data:
Names, Social Security numbers, email addresses, scores, and grades.
Breach Description:
An Iowa State University professor inadvertently posted confidential personal information belonging to former students through the school's publicly accessible web server (iastate.edu).
Reference URL:
The Des Moines Register online story
SSNBreach.org Press Release
Report Credit:
SSNBreach.org and the Des Moines Register, with a special thanks to "Coop" a Breach Blog reader.
Response:
From the online source cited above:
An Iowa State University professor posted the names, Social Security numbers, scores, and grades of 26 former students who had taken the course "ME 325" in the spring of 2001.
[Evan] I think that this is presumed. There is no definitive evidence that the professor, Gloria Starns actually posted the information herself (at least how I read it). Allowing professors to post information to a publicly accessible Internet site makes me feel a little uneasy (risky).
The information, along with e-mail addresses was posted on Iowa State University servers, undetected since January 10, 2002
The Iowa State University indicates that ISU does not have a regular policy of searching text and non-text based files on public servers to determine whether they may contain sensitive information, according to the press release.
[Evan] Let's hope that this is likely to change.
Commentary:
1. Social Security numbers in the hands of a professor? There is no good reason for a professor to have access to this information. The information in this breach was/is seven years-old, and the school now uses "random university identification number"s, so it appears as though the school has taken some steps to protect confidential information.
2. I hope that computer system change control for key systems has been implemented that would disallow a professor or any other person not specifically trained, to post public information. Again, this was seven years ago allegedly, so maybe it is safe to assume that things have changed?
Take a peek at the Iowa State Code of Ethics Policy and feel free to comment.
Past Breaches:
Unknown
Date Reported: 2/7/08
Organization:
Iowa State University
Contractor/Consultant/Branch:
None
Victims:
Former students who attended course "ME 325" during the spring of 2001
Number Affected:
26
Types of Data:
Names, Social Security numbers, email addresses, scores, and grades.
Breach Description:
An Iowa State University professor inadvertently posted confidential personal information belonging to former students through the school's publicly accessible web server (iastate.edu).
Reference URL:
The Des Moines Register online story
SSNBreach.org Press Release
Report Credit:
SSNBreach.org and the Des Moines Register, with a special thanks to "Coop" a Breach Blog reader.
Response:
From the online source cited above:
An Iowa State University professor posted the names, Social Security numbers, scores, and grades of 26 former students who had taken the course "ME 325" in the spring of 2001.
[Evan] I think that this is presumed. There is no definitive evidence that the professor, Gloria Starns actually posted the information herself (at least how I read it). Allowing professors to post information to a publicly accessible Internet site makes me feel a little uneasy (risky).
The information, along with e-mail addresses was posted on Iowa State University servers, undetected since January 10, 2002
The Iowa State University indicates that ISU does not have a regular policy of searching text and non-text based files on public servers to determine whether they may contain sensitive information, according to the press release.
[Evan] Let's hope that this is likely to change.
Commentary:
1. Social Security numbers in the hands of a professor? There is no good reason for a professor to have access to this information. The information in this breach was/is seven years-old, and the school now uses "random university identification number"s, so it appears as though the school has taken some steps to protect confidential information.
2. I hope that computer system change control for key systems has been implemented that would disallow a professor or any other person not specifically trained, to post public information. Again, this was seven years ago allegedly, so maybe it is safe to assume that things have changed?
Take a peek at the Iowa State Code of Ethics Policy and feel free to comment.
Past Breaches:
Unknown
