BY JIM DOOLEY – The year-long public exposure of personal information belonging to 40,000 University of Hawaii alumni “could have been prevented” if the university had taken “some fairly simple” data protection measures, said the man who discovered the security breach.
Aaron Titus, Privacy Director at Liberty Coalition, a Washington D.C., non-profit agency, said he found personal data on 40,000 students who attended UH between 1990 to 1998 and in 2001 by performing some “advanced Google searches” and “thinking like an id thief.”
The information, including birth dates and social security numbers, was stored on an unsecured UH computer server by a now-retired UH West Oahu Campus professor researching the achievements of UH students after graduation.
Titus of Liberty Coalition says he has discovered dozens of similar security breaches in the past, most of them at universities around the country. The largest involved personal information of 250,000 individuals held by a Florida state employment office. And the University of Louisiana regents inadvertently released personal information on 200,000 individuals. The University of Hawaii release is the third largest found by Titus, he says.
Titus informed UH officials of the security breach earlier this month and the data was removed from public view immediately afterward. This was nearly 11 months after it became available.
Titus says he was unaware of any illicit use of the information by identity thieves, but adds “those types of problems are extremely difficult to track.”
UH officials were unable to comment in detail today — a state holiday — on the issue, but said previously they were contacting all affected individuals and conducting an internal investigation.
Email notices sent last week to impacted alumni report the university “has no evidence that anyone’s personal information was accessed for malicious intent.”
University spokeswoman Tina Shelton said today, “The university system is NOT aware of any actual security breaches raised by the inadvertent exposure by the UH West Oahu professor.”
Concerned students can call (808) 956-6000 during weekday business hours or check the web at http://www.uhwo.hawaii.edu/idalert
The Honolulu police and the FBI are also working on an investigation of the information breach.
UH graduate Paul Philpott said he is one of the alums whose personal information was exposed and has spoken to other friends and classmates who are very disturbed by the breach.
“None of us have given any authority to any person or institution to have our identities used, put on the Internet, or to be used in a study on us,” Philpott wrote in an email.
“For those affected that I have talked with, explanations and help should be immediate and detailed,” Philpott says.
“It’s my impression that the University of Hawaii is a few years behind in its IT (information technology) security,” said Titus of Liberty Coalition in a telephone interview.
“This could have been prevented if the university had a policy of scanning its IT system for records containing personal information like social security numbers,” he says, adding software programs and information technology experts are available to perform such searches.
Shelton said UH President M.R.C. Greenwood “takes this data release very seriously“ and has directed UH IT Vice President David Lassner “to begin researching the best commercial programs available and their costs.”
The programs “are not cheap,” Shelton noted, adding that the university has struggled in recent years with severe budget cuts and spending restraints.
But measures to upgrade the security of personal information at the university “are underway,” Shelton says.
“UH does not dispute the fact that there are many universities with far more resources invested in information security than UH,” Lassner said. “There are also universities with less effective security programs. In general, universities are far more decentralized than other types of enterprises. This presents some unique challenges relative to banks, hospitals and most businesses.”
Titus says universities typically “have a core information system that is jealously guarded by a small army of professionals and that is very difficult to penetrate.”
“But real problems occur because of ‘shadow systems,” which involve copies of data that are taken from the secure core and placed in other insecure sites, says Titus. The UH West Oahu data release came from such a site, he says.
UH officials said last week that the professor using the data had obtained it “the UH System’s Institutional Research Office” and then placed it “on a faculty web server that was thought to be secured.”
Maintaining information security in a university setting is a challenging task – departments and professors are fiercely protective of their independence and their research, Titus says.
“To the average professor, those pesky IT security people just get in the way,” Titus adds.
Titus said he will host a conference call at 10:30 a.m. Hawaii time tomorrow to discuss details of its investigation with UH alumni and other interested parties.
To participate, call (610) 214-0200 and enter access code 863597#.