Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do you handle "indirect" data breaches from "Have I Been Pwned"

From: "Hillhouse, Bob (Bob)" <0000010ac8b8c023-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Fri, 16 Aug 2019 13:46:54 +0000
Jim,

We have attempted to be “helpful” in the past by informing our constituents of a breach. It generated questions about 
how “we” protect their information even though the disclosure had nothing to do with our institution beyond the use of 
their institutional email address as a username. There was also a degree of panic (which isn’t ALL bad). Communicating 
WHY an institutional department is contacting them about their fitness, or bank, or whatever is challenging; helping 
them understand the connection is challenging.

We always make it clear that we’re informing them as a public service and use it as a chance to create awareness in 
regards to their “digital double”; that online form of themselves that lives on the interweb. We also find that a lot 
of folks forget that they had even signed up or used their @edu address.

Should we notify them? Carefully, IMHO.

--
Bob Hillhouse, CISSP
Associate CIO & CISO
The University of Tennessee, Knoxville


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Jim A. Bole" 
<jbole () STEVENSON EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, August 16, 2019 at 9:39 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] How do you handle "indirect" data breaches from "Have I Been Pwned"

How do you handle third-party data breaches that could have an indirect connection to your institution, such as 
individual using their .edu account for personal cloud service, etc?

We subscribe to haveibeenpwned.com’s domain search notification service. We’ve seen a steady increase in notifications 
around these types of services:


  *   Chegg
  *   Canva
  *   Adobe

And then there are the usual personal services (fitness apps, tickets, etc.)

Should we notify potentially impacted accounts? If so, what guidance should be provided?

Seems there’s a balance in being helpful but at the same time not assuming any liability or support burden.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: