Avoiding Data Security Breaches

What Is a Data Security Breach?

A data breach is a security incident in which unauthorized individuals or entities gain access to sensitive and confidential information, potentially resulting in the exposure, theft, or compromise of personal or university data. Data breaches can lead to financial losses, identity theft, and potential disruption of essential services. Safeguarding against these breaches is crucial to protect personal privacy, financial stability, and institutional integrity.

Common Types of Data Security Breaches and Recommended Safeguards

Theft or loss of computers and laptops, portable electronic devices, electronic media, or paper files. To ensure proper physical security of electronic and physical sensitive data:

  • Lock down workstations and laptops.
  • Secure your area, files, and portable equipment before leaving them unattended.
  • Don't leave papers, computers or other electronic devices visible in an empty car or house.
  • Shred sensitive paper records before disposing of them.
  • Don’t leave sensitive information lying around unprotected, including on printers, fax machines, copiers, or in storage.

Compromised PII and other sensitive information can occur when PII and other sensitive information is not stored or transmitted securely. To avoid compromised PII:

  • Be sure you know who has access to folders before you put sensitive data there!
  • Be certain you don’t put sensitive information in locations that are publicly accessible from the Internet. 
  • Always transmit sensitive data securely. This includes remote access and client/server transmissions.
  • Don't use open/unencrypted wireless when working with or sending this data.
  • Don’t email or instant message (IM) unencrypted sensitive data. This includes sensitive data in attachments, screen shots, test data, etc. 
  • Don't send paper mail that displays a person's Social Security number, financial account information, or driver's license/state ID number.

Hacked or revealed passwords can lead to compromised data, compromised systems, and people using your accounts without your knowledge. The following practices can minimize the risk of a password hack:

  • Use strong passwords that are difficult to guess, and keep them secure.
  • Never share or reveal your passwords, even to people or organizations you trust.
  • Use different passwords for work and non-work accounts.
  • Have a unique password for each account.
  • Change initial and temporary passwords, and password resets, as soon as possible whenever possible. These tend to be less secure.

Malware or virus Infection can occur in computers not protected with anti-malware software. Out-of-date anti-malware may not detect known malware, leaving your computer vulnerable to infection. To avoid malware and virus infection:

  • Install anti-malware software and make sure it is always up-to-date.
  • Don't click on unknown or unexpected links or attachments. These can infect your computer.
  • Don’t open files sent via chat/IM or P2P software on a machine that contains sensitive data – these files can bypass anti-virus screening.

Data retrieved from discarded or recycled equipment or media. To avoid a data breach from improperly disposed of or recycled equipment or media:

  • Destroy or securely delete sensitive data prior to re-use or disposal of equipment or media. For information on how to securely delete files, see PC/Mac, or email.
  • Work with Copy Services or ITS to securely erase printers, fax machines and photocopiers before disposal, resale or returning them to the vendor.
  • Shred sensitive paper records before disposing of them. Do not reuse them where the information could be exposed.

Contractor's computer compromised. You are responsible for the security of all UC Santa Cruz sensitive data you transmit or provide access to, including to non-UC Santa Cruz machines and contractors.  

  • Ensure proper contract language is in place and that contractors understand their obligation to protect sensitive UC Santa Cruz information.
  • Never send or download PII to an insecure or unknown computer.

Additional Vulnerability Concerns

Missing patches and updates create vulnerabilities in operating systems (OS) and applications and puts all of the data on those systems and other connected systems at risk. Make sure all systems connected to the network/internet have all necessary OS and application security patches and updates.

Improperly configured or risky software can open your computer up to attackers. Don't install unknown or suspicious programs on your computer. These can harbor computer viruses or give others access to your computer without your knowledge. 

Application vulnerabilities and misconfiguration. It is important to have a trained professional check for application security vulnerabilities for all new or custom applications. While these assessments may not find every vulnerability in every application, they should reveal common flaws that can be exploited by hackers. 

Development server security. "Test" and "development" systems need to be as secure as "live" or "production" systems. If real data is used, it needs to be protected based on its level of sensitivity, regardless of what kind of system it is in. Otherwise, it's an easy invitation for hackers. 

Get Help

To learn more about protecting sensitive data, see Practices for Protecting Electronic P3-P4 Data.

For questions or additional information about any of the above recommended practices, personally identifiable information (PII), sensitive data, or security awareness education at UC Santa Cruz, please contact the ITS Support Center.

To report a data security breach, submit a UCSC Security Incident Report.

If university computing equipment is missing or stolen, report it to your supervisor and the UCSC Police Department. If the incident occurred away from campus, contact the local authorities as well.