PII About 800,000 Individuals Compromised at UCLA

Now Available:

Featured Resources:

Today CNN reported personally identifiable information (PII), Social Security numbers, home addresses and birth dates, about 800,000 current and former UCLA students, faculty and staff may have been compromised.

Surprisingly, the unauthorized access reportedly was occurring from October, 2005 through November 21 of this year when the security staff finally noticed suspicious activity.

The letter sent to the impacted individuals reportedly advises them to contact the credit monitoring agencies, and does not offer to provide this service for them.

Mentioned in the report was an Educause survey that found over 25% of 400 colleges had exerienced a security breach involving PII in the past 12 months.

The open environments within schools certainly increase their information security vulnerabilities.

So how did the breach occur?

"Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid."

A few lessons learned:
* Information security and privacy must be programmed into all applications and systems, and addressed from the very planning phases all the way through to applications/systems retirement.
* Organizations must have procedures and tools in place to identify unauthorized activities, and diligently monitor and respond to them.
* Privacy breach identification, response and notification plans must exist prior to a privacy breach to be able to respond most efficiently and appropriately.

Categories

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.

Now Available:

Featured Resources:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert