Almost everyone is aware of the recent data breach experienced by Target, but universities are not immune. Higher education institutions are experiencing an increasing number of attacks from cybercriminals and foreign governments.
University of Maryland reported a data breach of over 300K records for faculty, staff, and students that included names, Social Security numbers, and dates of birth. While no other data was exposed (e.g., academic or health records), the data breach still confirms affiliation with UMD for the people included in the data breach. That information could be used to target individuals or extract other information from UMD or other entities.
Security and the weakest link
Security is only as strong as the weakest link in the information chain, and data leaked from one organization can be used to bypass security measures at another organization. The type of information exposed in the UMD breach is often what you might use to prove your identity before resetting your password. If someone else can reset your password, your data can be compromised. But it doesn’t even require a massive or public data breach to expose yourself to attack. This past year, a person was able to use social engineering to bypass GoDaddy’s security and claim a highly-valued Twitter handle. A vulnerability in one organization enabled coercion and theft within the confines of another organization. Our efforts to protect data privacy here at UALR are as important for our institution as they are for other organizations.
Both the National Cyber Security Alliance and EDUCAUSE have recently conducted events related to protecting data privacy throughout industry, education, and the populace as a whole. The entire Information Technology Services team also takes data privacy very seriously, and so we are asking you to join us in campus-wide efforts to keep our data safe and secure.
Do you know where your PII is?
As officials of the university, it is our responsibility to protect the personally identifiable information (PII) of all of our affiliates (students, employees, visitors, etc.). Any time you are viewing, collecting, exporting, analyzing, sharing, or archiving data that contains PII, it is important that you treat that data with a heightened level of concern regarding its dissemination.
Maintaining data privacy means that we ensure PII is only shared with people and systems authorized to view or use the data. We can protect our affiliates’ privacy by applying robust data security governance, habits, and technologies.
PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a potentially sensitive context. Examples of data that are almost always considered sensitive (source: Handbook for Safeguarding Sensitive Personally Identifiable Information, Department of Homeland Security) include
- National or state identification number
- Driver’s license number
- Alien registration or passport number
- Financial account numbers (bank account, credit card numbers)
- Biometric identifiers such as face, fingerprints, handwriting, or genetic information
Data that become sensitive when paired with other information (often used to verify identity) include
- Citizenship or immigration status
- Medical information
- Ethnic or religious affiliation
- Sexual orientation
- Account passwords
- Last 4 digits of SSN
- Date of birth or birthplace
- Criminal history
- Mother’s maiden name
And finally, information that can provide methods of identifying or communicating with a protected person (such as a student) is also considered sensitive and includes
- Full name (if not common)
- Mailing and Home Address
- Account usernames
- Email address (if private from an association/club membership, etc.)
- IP address (in some cases)
- Vehicle registration plate number
If you have any concerns about the safety of private data in your department or on your specific computer, contact the assistance center.