Another two universities suffer data breaches, but notification still too slow

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://nakedsecurity.sophos.com/2014/03/13/another-two-universities-suffer-data-breaches-but-notification-still-too-slow/

Universities seem to be evergreen targets for hackers, with two more
breaches announced in the past week or so.

This time it's been the turn of North Dakota University System and the
prestigious Johns Hopkins University in Baltimore, Maryland, both of which
have had to warn their staff and students about potential data theft and
identity theft.

The Johns Hopkins breach looks fairly minor at first glance. A web server
in the Department of Biomedical Engineering was compromised and a fairly
small amount of data extracted.

This was initially thought to be mainly information already publicly
available, contact and biographical information for staff, but it was later
found to include names and addresses for around 850 current and former
students. No financial information, or other sensitive data such as social
security numbers (SSNs), is thought to have been taken.

The most interesting aspect to this incident is the involvement of
"hacktivists" claiming affiliation to the Anonymous group.

Having broken into the server and gathered the available data, they then
apparently contacted the university demanding access to other parts of
their networks, threatening to publish the stolen data if their demands
weren't met.

The university, of course, refused to comply and the data was duly posted
online, along with a ranting message claiming the action was intended as a
punishment for the university's failure to fully secure its webserver.

Anonymous is by intention a fairly vague and ill-defined collective, and
actions carried out in its name may often not have any real association
with the rest of the group.

In this case, the tone of the message and the behaviour it accompanies seem
almost designed to come across as illogical and pointlessly aggressive,
destroying any sympathy the group's more public-spirited engagements may
have inspired.

Johns Hopkins did the right thing in ignoring the extortion attempt,
although their public response to the incident may seem a little slow.

The breach itself is thought to have taken place in late 2013, and "came to
light" thanks to a Twitter posting in January, but officials do not appear
to have gone public with the information until shortly after the failed
extortion attempt led to the data being publicly posted online.

That happened on March 6th, with the university's official statement
released the following day.

The North Dakota case is a little more serious, and again public
notification appears to have been somewhat delayed.

North Dakota University System (NDUS) comprises several universities and
colleges in the North Dakota region, which between them enrolled just under
50,000 new students last year. The body has a pretty hefty budget, with
$1.3 billion expected spending this financial year.

Their breach involved a server accessed using compromised login accounts.
No information has yet been released on how the account was taken over, but
spearphishing is a likely candidate.

The illicit access began in October 2013, and was discovered in early
February. Public disclosure was not made until March 3rd.

The systems breached contained personal data, including SSNs but not
financial data, on not far short of 300,000 students and several hundred
staff.

Initial investigations suggested this information was not accessed or
exfiltrated, the server instead being used for other malicious purposes.

However, later reports hint at increased phishing activity targeting
associated people, and imply the data was stored unencrypted, contrary to
both university policy and good sense.

The NDUS official FAQ on the incident explains the month-long delay in
public notification by claiming they needed to examine and secure the
server:

"Question: Why was there a delay in notifying me about this incident?
Answer: We needed time to conduct an investigation and forensic analysis to
properly understand the scope of the incident and who was affected. We also
needed to make sure the server was properly secured prior to making
notifications that could attract the attention of other attackers."

One would hope that a decent sysadmin would be able to tell you fairly
quickly how much sensitive personal data was stored on a given server, and
disconnecting a compromised machine from the network, surely the first step
as soon as a breach is discovered, shouldn't take a full month either. A
minute or two should be plenty.

Even in these cases, where leakage of data which could be used for identity
theft is though to have been minimal or non-existent, informing those whose
information may be at risk should be the first priority.

Pondering how great the risk might be, or just how many people might be
affected, can be done later on. If there's any possible danger of exposure,
people need to know as soon as possible.

Educational bodies make ideal targets for hacking, combining rich seams of
personal information and potentially valuable research data with diverse,
under-funded computing systems.

Breaches seem to come in clusters, as we saw last July with Stanford and
Delaware universities announcing data leaks within a week of each other.

This latest cluster started a few weeks ago with a large breach at the
University of Maryland, near neighbours of Johns Hopkins, where again large
numbers of records were taken but notification was both prompt and
comprehensive.

In that case, as in many others, identity monitoring services have been
provided to help people ensure their identities remain their own.

Users of such services may want to take care though, with major provider
Experian adding data miss-selling headaches to an already hefty history of
breaches.

All this seems to strengthen the case for better standards for breach
notifications.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!