On Privacy Breaches
I’ve just received an e-mail from my University’s Provost (apparently a fancy word for senior academic administrator) about a privacy breach that affects my information. I’m posting the message and my response here in the hopes that I can document yet another example of how organizations do a remarkably poor job of protecting our information.
In the event I receive a response, I’ll be sure to include it here as well. My intuition tells me that I will receive a boilerplate response that glosses over the technical details and real issues underlying things. I’d love to be proven wrong in that regard.
Unfortunately this isn’t likely to be noticed by the majority of the student population. Speaking in dangerously large generalities most of the student body seems all too willing to give away their personal information on websites and surveys. I predict dangerous levels of apathy and under-reaction since no financial data was leaked.
Initial communication:
I am writing to inform you that some of your student information was inadvertently made accessible through Internet searches. This occurred when a file containing some student information was accidentally uploaded onto a publicly accessible Brock website by a library employee. The information file included all student names, student numbers, phone
numbers, mailing addresses and email addresses. The file that was inadvertently uploaded has been deleted. All student files are now safe and secure.
University officials were alerted to the situation on Jan. 28 when a student told library staff that he had accessed some of his own information when he did a Google search of his name. University staff immediately deleted the file and contacted Google to have all of the information erased from any search archives or indexes. It is extremely unlikely that the information contained in the file could be used to access any further personal information at the University, because of password protection and security measures that are in place.
A situation like this is not something we take lightly, and immediate steps were taken to reduce the risk of any recurrences. Brock University is committed to the highest level of security of student information and the protection of privacy, and has informed the Office of the Information and Privacy Commissioner/Ontario of the incident to ensure that all obligations under the Freedom of Information and Protection of Privacy Act are fullfilled.
Although there is no immediate risk posed by this incident, we routinely encourage students to regularly change their passwords for security purposes. Students can access the passwords for their campus accounts
through the portal at my.brocku.ca
If you have any questions regarding this matter, please contact University Communications at univcomm@brocku.ca or at 905.688.5550 ext 4687.
Murray Knuttila
Provost and Vice-President Academic
My response
Hi there,
At the end of your message you invited any questions. I hope you’ll be able to answer several that came to mind when I read this message.
1)
> immediate steps were taken to reduce the risk of any recurrences.
What were these immediate steps? This specific instance seems to illustrate to me that the problem is more deeply rooted and can’t be fixed so quickly. I’m interested in knowing the details of the steps the Administration have taken.
2)
> This occurred when a file containing some student information was accidentally
> uploaded onto a publicly accessible Brock website by a library employee.
This is the heart of my “deeply rooted” comment above. I’m curious why a Library employee had this much information on students, let alone in such large quantities. I’m having difficulty reasoning why they would need more than my name and student number, especially since I have never withdrawn a single book.
Would it not be enough to have student names and corresponding student number to cross reference with the registrar’s office when more sensitive information was required?
Why was the principle of least privilege so grossly ignored here as to have an entire campuses worth of personal information in one file under the control of one person?
3)
Is it common Brock procedure to store personal and sensitive information in an unencrypted format with no password protection? Are there other areas of the school that follow such practices with my information?
Thank you for your time,
UPDATED 02/03/10 – Reply #1
Daniel,
Thanks for you note.
I’ll get responses to your questions and get back to you as soon as possible…
Best, Jeffrey S.
Jeffrey Sinibaldi
Media Relations Officer, Brock University
905-688-5550 ×4687
I will update this page in the event of further replies
Kudos to Brock for the quick response. I look forward to Mr. Sinibaldi’s relationships with my media…
Transmissions:
← JRiver Advanced Darwinian Security - Evolving the PWN →
