« Hacked: University of Colorado at Boulder Announces the Potential Exposure of 44,998 Names of Students and Their Social Security Numbers | Main | Office of Management and Budget (OMB) sets 120-day deadline for Federal Agencies to Develop Security Breach Notification Policy »

May 24, 2007

Stony Brook University Web Site Exposes the Names and Social Security Numbers for 89,853 Faculty, Staff, Students, Alumni, and University Community Members

Stony Brook University has disclosed (www.stonybrook.edu/disclosure) a Health Sciences Center library web site had accidentally exposed a data file that contained the names, Social Security numbers, university ID numbers, for 89,853 Faculty, Staff, Students, Alumni, and other members of the University community.   

Although the university believes the data disclosure was accidental this incident is very troubling.  Why did the university keep this sensitive information in one computer file without any data encryption?   Why did the university keep such sensitive information (computer file) on a web server?   

Perhaps this incident at Stony Brook University will help other institutions of higher learning to rethink their information security governance and privacy initiatives.   How many more incidents like these will happen before the U.S. Congress mandates stricter information security and privacy measures for educational institutions?

Posted in Web/Tech |

Comments

Misha, thank you for your insightful comments. I agree with you, there is no such thing as 100% security. Furthermore, I agree with you that America should not live in fear.

I believe we live in the greatest country on this earth. We have very talented people who have dedicated themselves in private industry and government service to provide us reasonable risk mitigation from threats to our way of life.

Misha, thanks for reminding us not to live in fear.

Best regards,

Jaime

Posted by: Jaime Chanaga | October 05, 2007 at 10:34

Just thought I would let you know...
The question you pose: "Why did the university keep such sensitive information (computer file) on a web server?" is inaccurate. The information was only on a server from April 11 to April 24, the time of the actual breach in security. The server was not, obviously, the intended method of storage. Furthermore, you criticize the United States Federal Government, specificly Congress, as to "...stricter information security and privacy measures for educational institutions..." I'd like to point out that they themselves (Fed Gov) misappropiated two government laptops with vast amounts of higly classified information, when they ever so cleverly LOST them completely... Im not disputing the fact that neither scenario is excusable. I'm simply pointing out the reality of "security": nothing, anywhere at anytime is 100% secure; that doesn't mean America should live in fear.

Posted by: Misha | June 21, 2007 at 15:11

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.