http://securityratty.com/tag/gsas Thu, 13 Mar 2008 21:25:51 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/f8e9f01475e7c7289079631255a005d1 http://securityratty.com/article/f8e9f01475e7c7289079631255a005d1 Security Breach

Date Reported:
3/12/08

Organization:
Harvard University

Contractor/Consultant/Branch:
Graduate School of Arts and Sciences

Victims:
"applicants for admission and housing"

Number Affected:
~10,000

Types of Data:
"name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records"

Breach Description:
"A Harvard Graduate School of Arts and Sciences (GSAS) Web server that contained summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information was hacked by an outsider and compromised in a way that the data on the server could have been viewed or copied."

Reference URLs:
Harvard University Gazette
The Boston Globe
The Boston Herald
Bloomberg

Report Credit:
Robert Mitchell and Joe Wrinn, Harvard University Gazette

Response:
From the online sources cited above:

Harvard University notified students at the Graduate School of Arts and Sciences yesterday that their personal information may have been compromised when a hacker hijacked the school's server last month.

The GSAS site was taken down from Feb. 17 until Feb. 21 in order to investigate the incident and to improve security.

The University’s initial examination did not reveal the full extent of the hack. As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed.
[Evan] Without knowing all of the details, it seems like this was a poor incident response.

The University has informed the GSAS community, and has apologized for the error.

At Harvard’s expense, identity theft recovery services are being made available to the people who might be potentially affected.

Guarding against hacking is a constant battle as hackers continue to challenge and occasionally breach security systems. Harvard has taken and will continue to take steps to protect its servers as well as possible.
[Evan] Yes, but this is absolutely no excuse.  "Harvard has taken and will continue to take steps to protect its servers"?  This is a problem.  We don't aim to protect servers, we aim to protect information.

“Protecting personal information is something Harvard takes seriously, and we are truly sorry for the inconvenience and concern this incident may cause,” said Margot N. Gill, administrative dean of the GSAS.

“We are notifying and apologizing to the affected individuals and making identity theft recovery services available to them at our expense. Please be assured that we are taking steps to do what we can to prevent future incidents of this kind.”

The server contained summaries of data from approximately 10,000 applicants for admission and housing that were used by GSAS administrators during the admissions process and to match students with housing.

There were approximately 6,600 summaries from admissions candidates from the United States consisting of each applicant’s name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records.

The remainder of the admissions data did not involve Social Security numbers. There were approximately 500 summaries of housing application data that included Harvard University ID numbers. A small number of housing application summaries (13) contained information about personal health issues such as food allergies.

Dan Moriarty, Harvard's chief information officer, said the college had strengthened its security system.
[Evan] Had?  How?

"This is really a cautionary tale for anyone in higher education," he said.
[Evan] This is really a cautionary tale for people that do not secure confidential personal information properly.  Higher education or not.

``This is really unprofessional, of course, and we're quite upset that something like this would happen at Harvard, of all places,'' said Patrick Hamm, a spokesman for Harvard's Graduate Student Council.

Harvard discovered the attack Feb. 16 after information from 19 graduate student-housing applications appeared on an Internet site called Pirate Bay that hosts anonymous information, said Daniel Moriarty, the university's chief information officer.
[Evan] Unreal.  The school was not even aware of the breach when it occurred of even shortly after it occurred.

Kyle Brown, president of the Graduate Student Council, said the university's delay in realizing the extent of the hacking was troubling to him.

`No One Was Really Aware'

``No one was really aware of the scope,'' said Brown, 21. ``That, in of itself, may indicate a problem with the way Harvard goes about securing information. When someone breaks in, we need to know exactly what was compromised, soon.''

Because the University could not rule out the possibility that all of the information on this server was copied and distributed more broadly, notifications are being sent to all persons who may have been affected by this incident.

In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc.

Commentary:
My first thought was actually a question.  Why was this information accessible on or through a web server?  I assume that the web server was compromised and through it a back end database was accessible.  So fine, this leads me to a more questions.  #1, Did the school conduct regular risk and vulnerability assessments and/or penetration tests on servers that collect, process or store confidential information?  Unlikely in this case.  #2, Why did the school not detect the breach as (or shortly after) it occurred?  Information security cannot protect everything, but we can certainly be alerted when something is amiss.

Judging only from what I have read about this breach, I would have expected much more.

Lawd knows Hawvahd ain't cheap ya know.

Past Breaches:
Unknown

]]> Thu, 13 Mar 2008 21:25:51 +0000 university harvard university harvard university gazette harvard gsas administrators gsas information personal information gsas site Harvard University warns graduate students about web hack