Tuesday, February 24, 2009

University of Florida Breach: Detected, Eradicated, and Educated

Detected (sounded like an internal effort):

"On January 14, 2009, the University of Florida discovered that a server was accessed by an unauthorized intruder from outside UF. This server contained names and Social Security Numbers (SSNs) for 97,200 people that used the system between 1996 and 2009. Although no evidence was found that this information was accessed, there is no absolute certainty that it was not."

Eradicated:

"...the University of Florida discovered that a configuration error allowed outside access to a directory containing Social Security numbers, information normally protected from unauthorized access. UFID numbers and Social Security numbers were used interchangeably for verification purposes until the university discontinued the practice in 2003.

The configuration error was fixed immediately. An investigation revealed the error allowing the unauthorized access had been made four months earlier by an information technology specialist working on the directory. We have no evidence any personal information was obtained, but out of an abundance of caution, the University is working to notify those individuals with information on the directory

Educated

"Answers to Commonly Asked Questions Regarding Grove Incident"

When I went through the list of questions and answers, I was impressed. They did a great job of detailing just about every question that goes through someone's mind when they're affected by something like this.

Obviously, breach = no good. On the other hand, I think (from a high-level) the University did a great job in how they reacted. And isn't it all about detection and reaction?

First off, they perform system audits and are actively looking for anomalies. It's how they found the compromise. This is a clear indicator that they take information security risk and minimum security baselines seriously.

Second, they decided to err on the side of caution. They stated that after their investigation and forensic analysis (which lasted 2 weeks) gave no indication that Personally Identifiable Information (PII) was accessed or copied, but there was no definitive indication that it WAS NOT. This is key. If you can't prove that information has NOT been compromised, you need to notify the people potentially impacted. Notification is expensive. I'm sure it was for the University: more than 97,200 people. On top of that, they don't have contact information for 5,000 of the affected. Again, more time and effort will be spent by the University to track down those people and notify them. To summarize, they did the right thing.

Finally, they used the breach to effectively communicate a LOT of information about information privacy, details around the incident, and effectively highlight their Information Privacy repository. Education, education, education. All of the news sources point to their Privacy site.

Security breaches happen. How you react to the breach (do we notify? priority of incident?) as well as how you educate those parties affected sets you apart from the flunkies. From a 20,000 foot view, the Gators did a good job...

No comments: