Security Breach Examples and Practices to Avoid Them

Security Breaches & Recommended Practices | Definitions | Contact Information | Additional Resources |


Data Breach
Recommended Practices

Theft or loss: Computers and laptops, portable electronic devices, electronic media, paper files.

The Security Breach That Started It All

  • Veteran’s Administration (VA) incident: 26.5 million discharged veterans’ records, including name, SSN & date of birth, stolen from the home of an employee who "improperly took the material home."

Ensure proper physical security of electronic and physical restricted data wherever it lives.

  • Lock down workstations and laptops as a deterrent.
  • Secure your area, files and portable equipment before leaving them unattended.
  • Don't leave papers, computers or other electronic devices visible in an empty car or house.
  • Shred sensitive paper records before disposing of them.
  • Don’t leave sensitive information lying around unprotected, including on printers, fax machines, copiers, or in storage.

Laptops should be secured at all times. Keep it with you or lock it up securely before you step away -- and make sure it is locked to or in something permanent.

Use extra security measures for portable devices (including laptop computers) and portable electronic media containing sensitive or critical info:

  • Encryption
  • Extra physical security
  • Even portable devices and media with encrypted PII must have strict physical security.

Securely delete personal identity information (PII) and other restricted data when it is no longer needed for business purposes. Minimizing the amount of sensitive data stored reduces risk in the case of theft. For information on how to securely delete files, see PC/Mac, or email)

Report suspected theft of UCSC-related computing equipment to the UCSC Police Department. Be sure to let them know if the stolen equipment contains any sensitive information. Local authorities should also be contacted if the incident occurs away from campus.

Insecure storage or transmission of PII and other sensitive information:


  • PII, protected student records, or financial data being emailed in plain text, or sent in unprotected attachments. This puts data at risk should it be intercepted while in transit.
  • Saving files containing PII or protected student data in a web folder that is publicly accessible online.
  • Files containing SSNs generated by a web form stored in the same publicly-accessible directory as the web form.
  • Be sure you know who has access to folders before you put restricted data there!
  • Be certain you don’t put sensitive information in locations that are publicly accessible from the Internet. Double check. If you can access it online without a password, so can others.
  • Always transmit restricted data securely. This includes remote access and client/server transmissions.
  • Don't use open/unencrypted wireless when working with or sending this data.
  • Don’t email or IM (instant message) unencrypted restricted data.
  • Don’t forget about restricted data in attachments, screen shots, test data, etc. These need to be sent securely, as well.
  • Don't send paper mail that displays a person's Social Security number, financial account information, or Drivers License/State ID number.

Password hacked or revealed.

This can lead to compromised data, compromised systems, and people using your accounts without your knowledge.

  • Use good, cryptic passwords that are difficult to guess, and keep them secure
  • Never share or reveal your passwords, even to people or organizations you trust
  • Use different passwords for accounts that provide access to restricted data than for your less-sensitive accounts.
  • Use different passwords for work and non-work accounts.
  • Change initial and temporary passwords, and password resets, as soon as possible whenever possible. These tend to be less secure.
  • See UCSC’s Password Strength and Security Standards.

Missing "patches" and updates:

Hackers can take advantage of vulnerabilities in operating systems (OS) and applications if they are not properly patched or updated. This puts all of the data on those system and other connected systems at risk.

Make sure all systems connected to the network/Internet have all necessary operating system (OS) and application security “patches” and updates.

Computer infected with a virus or other malware:

Computers that are not protected with anti-malware software are vulnerable. Out-of-date anti-malware may not detect known malware, leaving your computer vulnerable to infection.

  • Install anti-malware software and make sure it is always up-to-date.
  • Don't click on unknown or unexpected links or attachments. These can infect your computer.
  • Don’t open files sent via chat/IM or P2P software on a machine that contains restricted data – these files can bypass anti-virus screening.
  • Free software and additional information

Improperly configured or risky software:

This can open your computer up to attackers.

  • Don't install unknown or suspicious programs on your computer. These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.
  • Don’t put sensitive information in places where access permissions are too broad.

Insecure disposal & re-use:


  • Idaho Power Co. (Boise, ID): Four hard drives sold on eBay in 2006 contained hundreds of thousands of confidential documents, employee names and SSNs, and confidential memos to the CEO.
  • A computer at Loyola University containing names, Social Security numbers, and some financial aid information for 5800 students was disposed of before the hard drive was wiped. 
  • The Georgia Dept. of Human Resources notified parents of infants born between 4/1/06 and 3/16/07 that paper records containing parents' SSNs and medical histories -- but not names or addresses -- were discarded without shredding. 
  • Boston Globe used recycled paper containing credit, debit card, and personal check routing information for printing and for wrapping newspaper bundles for distribution. As many as 240,000 records were potentially exposed.
  • Photocopiers that were used to copy sensitive medical information were sent to be re-sold without wiping the hard drives. The data was discovered in the warehouse storing the copiers.
  • Destroy or securely delete restricted data prior to re-use or disposal of equipment or media. For information on how to securely delete files, see PC/Mac, or email.
  • Work with Copy Services or ITS to securely erase printers, fax machines and photocopiers before disposal, resale or returning them to the vendor.
  • Shred sensitive paper records before disposing of them. Do not re-use them where the information could be exposed.

Contractor computer compromised:


  • Boston College server run by a contractor containing addresses and SSN of 120,000 individuals was compromised.
  • A laptop containing the names, Social Security numbers and credit card information for 84,000 University of North Dakota alumni was stolen from the car of a contractor hired to develop software for the University. 
  • A company handling claims for the Georgia Department of Community Health lost a CD in transit containing 2,900,000 individuals' personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers.
  • You are responsible for the security of all UCSC restricted data you transmit or provide access to, including to non-UCSC machines and contractors.
  • Ensure proper contract language is in place and that contractors understand their obligation for protecting sensitive UCSC information.
  • Never send or download PII to an insecure or unknown computer.

Development server compromised:

People sometimes think that "test" and "development" systems don't need to be as secure as "live" or "production" systems. This is a myth. If real data is used, it needs to be protected based on its level of sensitivity, regardless of what kind of system it is in. Otherwise it's an easy nvitation for hackers.

Don’t use actual sensitive data in test or development systems, or for training purposes. If actual data is used, security for the system, test results (including screenshots), log files containing personal data, etc., must be equal to a comparable production system or data, including access controls.

  • Truncate, de-identify or mask restricted data in these systems whenever possible.

Application vulnerabilities and mis-configuration:

UC Examples

  • A hacker attacked a restricted database on a computer in UC Berkeley’s health services center via a public web site on the same server. The database contained the names, Social Security numbers, health insurance information, immunization records, and patient physician information for more than 160,000 UC Berkeley students and alumni as well as former Mills College students. 
  • A UCLA data security breach affecting approx. 28,600 people (initially thought to have affected approx. 800,000 people) was due to a previously-undetected software flaw in one of its applications.

Other Educational Institutions

  • An error in the Texas Women’s University degree auditing program allowed anyone accessing the system to view the names, courses and grades of the 12,000 students enrolled at the university.
  • The University of Florida discovered an error in one of its systems that allowed outside access to directory which contained Social Security numbers for about 100 people. 
  • It is important to have a trained professional check for application security vulnerabilities for all new or custom applications. While these assessments may not find every vulnerability in every application (such as the UCLA example), they should reveal common flaws that can be expolited by hackers.
  • Make sure controls are in place to prevent access to secure databases through insecure databases.
  • Application security resources: Open Web Application Security Project (OWASP)


Personal Identity Information (PII)

Personal identity information (PII) is unencrypted computerized information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:

  • Social Security number (SSN),
  • Drivers license number or State-issued Identification Card number,
  • Account number*, credit card number, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account,
  • Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional,
  • Health insurance information, including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

* “Account number” is not defined in the legislation but can refer to any financial account such as a bank or brokerage account, etc.

Restricted Data

The University of California has defined “restricted data” as “Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.” For a more complete definition, including specific examples of restricted data as defined by UCSC, please refer to ITS' glossary of policy-related terms.


For questions or additional information about any of the above recommended practices, personal identity information (PII), restricted data, or security awareness education at UCSC, please contact the ITS Support Center:

To report a computer security incident:

  • Report any suspected compromise (hacking, unauthorized access, etc.) of computing systems or data to your supervisor and the ITS Support Center (contact info above).
  • Report lost or missing University computing equipment to your supervisor and the Campus Police - and to the local authorities if the incident occurred away from campus.


Additional information about protecting PII and other restricted data:

For comprehensive chronicles of publicly-reported data security breaches, see:


Rev. Nov 2015