Security Breach Examples and Practices to Avoid Them

Security Breaches & Recommended Practices | Definitions | Contact Information |Additional Resources |

EXAMPLES OF SECURITY BREACHES AND CORRESPONDING RECOMMENDED PRACTICES

Data Breach
Recommended Practices

Theft or loss: Computers and laptops, portable electronic devices, electronic media, paper files

UC examples

  • Unsecured laptop computers and workstations stolen from main UCSC campus and 2300 Delaware
  • UC Berkeley laptop stolen from unlocked office, more than 98,000 records containing SSN
  • UCLA laptop stolen from a locked van with a database that included names, birth dates, SSN and blood type approx 145,000 blood donors.

The Security Breach That Started It All

  • Veteran’s Administration (VA) incident: 26.5 million discharged veterans’ records, including name, SSN & date of birth, stolen from the home of an employee who "improperly took the material home."

Ensure proper physical security of electronic and physical restricted data wherever it lives.

  • Lock down workstations and laptops as a deterrent.
  • Secure your area, files and portable equipment before leaving them unattended.
  • Don't leave papers, computers or other electronic devices visible in an empty car or house.
  • Shred sensitive paper records before disposing of them.
  • Don’t leave sensitive information lying around unprotected, including on printers, fax machines, copiers, or in storage.

Laptops should be secured at all times. Keep it with you or lock it up securely before you step away -- and make sure it is locked to or in something permanent.

Use extra security measures for portable devices (including laptop computers) and portable electronic media containing sensitive or critical info:

  • Encryption
  • Extra physical security
  • Even portable devices and media with encrypted PII must have strict physical security.

Securely delete personal identity information (PII) and other restricted data when it is no longer needed for business purposes. Minimizing the amount of sensitive data stored reduces risk in the case of theft. For information on how to securely delete files, see KB0015398 (PC/Mac), or KB0016804 (email).

Report suspected theft of UCSC-related computing equipment to the UCSC Police Department. Be sure to let them know if the stolen equipment contains any sensitive information. Local authorities should also be contacted if the incident occurs away from campus.

Insecure storage or transmission of PII and other sensitive information

UC examples

  • UCSC staff member saving files containing PII & protected student record data in a “public.htm” folder, not realizing they were publicly accessible. Notices sent to affected individuals.
  • UCSC - multiple instances: Files containing SSN generated by a web form stored in the same publicly-accessible directory as the web form. Technical investigations showed no evidence that PII data was accessed.
  • UCSC: Proprietary intellectual property accidentally posted on the internet.
  • UCSC: Multiple examples of PII, protected student records, and financial data being emailed in plain text, or sent in unprotected attachments. This practice puts data at risk should it be intercepted while in transit.
  • Be sure you know who has access to folders before you put restricted data there!
  • Be certain you don’t put sensitive information in locations that are publicly accessible from the Internet. Double check. If you can access it online without a password, so can others.
  • Always transmit restricted data securely. This includes remote access and client/server transmissions.
  • Don't use open/unencrypted wireless when working with or sending this data.
  • Don’t email or IM (instant message) unencrypted restricted data.
  • Don’t forget about restricted data in attachments, screen shots, test data, etc. These need to be sent securely, as well.
  • Don't send paper mail that displays a person's Social Security number, financial account information, or Drivers License/State ID number.

Password hacked or revealed:

  • UCSC: Multiple campus systems have been breached due to compromised passwords.
  • UCSF: A faculty physician replied to a phishing email and revealed his or her email username and password. The email account contained private medical information for about 600 patients.
  • Use good, cryptic passwords that are difficult to guess, and keep them secure
  • Don’t share or reveal passwords
  • Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
  • Change initial and temporary passwords, and password resets, as soon as possible whenever possible. These tend to be less secure.
  • See UCSC’s Password Strength and Security Standards.

Missing "patches" and updates:

Hackers can take advantage of known vulnerabilities in operating systems (OS) and third-party applications if systems and applications are not properly patched or updated.

UC Examples

  • UCSC: Hackers took advantage of a known vulnerability on an unpatched server, potentially putting 30-40,000 student records containing PII at risk. Technical investigation showed PII data was not accessed.
  • UCSC: Hackers took advantage of a known OS vulnerability on a server that was not successfully patched, putting UCSC PII and HIPAA data at risk. Technical investigation showed PII and HIPAA data were not accessed.
  • UC Berkeley: Hackers took advantage of a known vulnerability on an unpatched researcher’s computer to potentially gain access to some 1.4 million names, SSN, telephone numbers, addresses and dates of birth. 

Other Educational Institutions

  • University of Colorado: A server containing 44,998 student names and Social Security numbers was infected because an application on it had not been properly patched. 
  • An error in the Ryerson University Student Administration System allowed individuals to view others' personal information including names, genders, dates of birth, student numbers, mailing addresses, email addresses, and Social Insurance numbers. Ryerson installed a software patch to fix the problem. 

Make sure all systems that contain or access Restricted Data have all necessary operating system (OS)and third-party application security “patches” and updates.

Computer infected with a virus:

Computers that are not protected with anti-virus and anti-spyware software are vulnerable. Out-of-date anti-virus may not detect known viruses, leaving your computer vulnerable to infection.

UC Examples

  • Multiple workstations at UCSC were infected when people clicked on a malicious attachment in a fake Hallmark e-card. No sensitive information was exposed, but the incident affected support operations for the campus.

Other Educational Institutions

  • Kapiolani Community College: A computer with access to a network containing names, addresses, phone numbers dates of birth and Social Security numbers for 15,487 current and former students was infected with malware that could allow remote access and control.
  • Penn State University: A virus infiltrated an administrative computer that contained more than 1,000 employee Social Security numbers. 
  • Install anti-virus and anti-spyware software and make sure it is always up-to-date.
  • Don't click on unknown or unexpected links or attachments. These can infect your computer.
  • Don’t open files sent via IM or P2P software on a machine that contains restricted data – these files can bypass anti-virus screening.

Improperly configured or risky software:

  • UCSC: File sharing software was installed on a machine in an office that works with highly sensitive data. An investigation determined that no sensitive data was stored on that computer, however improperly configured file sharing software could potentially allow access to all files on a machine.
  • A Ball State University web server was compromised when a user on the server failed to properly secure their web space. This allowed an unknown individual(s) to upload a malicious script to the server. 
  • Don't install unknown or suspicious programs on your computer. These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.
  • Don’t put sensitive information in places where access permissions are too broad.

Insecure disposal & re-use:

  • Idaho Power Co. (Boise, ID): Four hard drives sold on eBay in 2006 contained hundreds of thousands of confidential documents, employee names and SSNs, and confidential memos to the CEO.
  • A computer at Loyola University containing names, Social Security numbers, and some financial aid information for 5800 students was disposed of before the hard drive was wiped. 
  • The Georgia Dept. of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents' SSNs and medical histories -- but not names or addresses -- were discarded without shredding. 
  • Boston Globe used recycled paper containing credit, debit card, and personal check routing information for printing and for wrapping newspaper bundles for distribution. As many as 240,000 records were potentially exposed.
  • Destroy or securely delete restricted data prior to re-use or disposal of equipment or media. For information on how to securely delete files, see KB0015398 (PC/Mac), or KB0016804 (email).
  • Shred sensitive paper records before disposing of them. Do not re-use them where the information could be exposed.

Contractor computer compromised:

  • Boston College server run by a contractor containing addresses and SSN of 120,000 individuals was compromised.
  • A laptop containing the names, Social Security numbers and credit card information for 84,000 University of North Dakota alumni was stolen from the car of a contractor hired to develop software for the University. 
  • A company handling claims for the Georgia Department of Community Health lost a CD in transit containing 2,900,000 individuals' personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers.

Do not send or download PII to an insecure or unknown computer.

  • We are responsible for the security of all UCSC restricted data we transmit or provide access to, including to non-UCSC machines and contractors.
  • Ensure proper contract language is in place and that contractors understand their obligation for protecting sensitive UCSC information.

Development server compromised:

  • UC San Francisco: A development server that was less-secure than the live server was hacked. The development server contained approx. 7000 individuals’ financial data. 
  • A student performing a Google search for his name discovered a publicly-accessible "test" database containing student names, birth dates and Social Security numbers for him and about 2,000 other Los Rios Community College District students. 

Don’t use actual sensitive data in test or development systems, or for training purposes. If actual data is used, security for the system, test results (including screenshots), log files containing personal data, etc., must be equal to a comparable production system or data, including access controls.

  • Truncate, de-identify or mask restricted data in these systems whenever possible.

Application vulnerabilities and mis-configuration

UC Examples

  • A hacker attacked a restricted database on a computer in UC Berkeley’s health services center via a public web site on the same server. The database contained the names, Social Security numbers, health insurance information, immunization records, and patient physician information for more than 160,000 UC Berkeley students and alumni as well as former Mills College students. 
  • A UCLA data security breach affecting approx. 28,600 people (initially thought to have affected approx. 800,000 people) was due to a previously-undetected software flaw in one of its applications.

Other Educational Institutions

  • An error in the Texas Women’s University degree auditing program allowed anyone accessing the system to view the names, courses and grades of the 12,000 students enrolled at the university.
  • The University of Florida discovered an error in one of its systems that allowed outside access to directory which contained Social Security numbers for about 100 people. 
  • It is important to have a trained professional check for application security vulnerabilities for all new or custom applications. While these assessments may not find every vulnerability in every application (such as the UCLA example), they should reveal common flaws that can be expolited by hackers.
  • Make sure controls are in place to prevent access to secure databases through insecure databases.



DEFINITIONS

Personal Identity Information (PII)

Personal identity information (PII) is unencrypted computerized information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:

  • Social Security number (SSN),
  • Drivers license number or State-issued Identification Card number,
  • Account number*, credit card number, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account,
  • Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional,
  • Health insurance information, including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

* “Account number” is not defined in the legislation but can refer to any financial account such as a bank or brokerage account, etc.


Restricted Data

The University of California has defined “restricted data” as “Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.” For a more complete definition, including specific examples of restricted data as defined by UCSC, please refer to ITS' glossary of policy-related terms.


CONTACT INFORMATION

For questions or additional information about any of the above recommended practices, personal identity information (PII), restricted data, or security awareness education at UCSC, please contact the ITS Support Center:

To report a computer security incident:

  • Report any suspected compromise (hacking, unauthorized access, etc.) of computing systems or data to your supervisor and the ITS Support Center (contact info above).
  • Report lost or missing University computing equipment to your supervisor and the Campus Police - and to the local authorities if the incident occurred away from campus.

ADDITIONAL RESOURCES

Additional information about protecting PII and other restricted data:

For comprehensive chronicles of publicly-reported data security breaches, see:

Reviewed. April 2014