The University of Nevada at Las Vegas (UNLV) has announced the potential data breach of 2,000 current and former students’ information. The information was compromised, if it was compromised, in 2008. Would full disk encryption like AlertBoot have helped in this situation? Possibly.
2008 Breach Found in 2011
According to several reports, UNLV has announced that it found evidence of “unauthorized user access” to computers in the Controllers’ Office during routine maintenance. While no financial information was present in these computers, Social Security numbers were present as part of a computer-purchasing loan program.
The details are sketchy enough that I can’t quite tell whether this was an on-line hack (say, by a guy in Belarus) or an insider attack. You know, where you pull up your chair to someone else’s computer and start inspecting files.
Now, in the former case, the use of encryption software would have helped by cryptographically protecting any important files (assuming that the hacker bypassed other security controls that ought to be in place for an on-line computer).
In the latter, the use of disk encryption would have helped, assuming that the password was not being shared. Disk encryption would ensure that information is not accessed by “slaving” the hard disk, and the use of strong passwords (along with rate-limiting and automatic logout after too many unsuccessful attempts) would have prevented an insider attack.
As of the time of the report, UNLV was “working on how to prevent similar data breaches, including reviewing information security policies and increasing employee training.”
If they’re in need of any cryptographic computer protection for their computers, UNLV should give us a call. We can literally see their campus from where we work, so perhaps we’ll give them a “part of our breathtaking-vista” discount. (Obviously that’s an exclusive deal that can’t be extended to most companies and organizations.)
As for the fact that they’re alerting students about a three-year-old breach…I’ve got to give them kudos. One way of looking at the situation is that it took UNLV three years to alert affected students. And, if one assumes that there is yearly maintenance, one also ponders why they didn’t detect this in the past couple of years. It sounds criminal.
On the other hand, the breach of SSNs has a different order of magnitude than the breach of, say, credit cards. With credit cards, your exposure is limited both in terms of financial hit as well as period (cards have expiration dates as well as the ability to cancel them). The effects of stolen SSNs, as anyone who follows fraud stories on-line as well as on TV (such as CNBC’s show, American Greed) knows, is much more affecting, with the potential to drag on for years with no ceiling on losses.
In this case, better late than never is most apt, and UNLV’s decision to sound the alarm instead of just brushing it under the rug is to applauded.
(I’ll admit that I’m not too crazy about the three-year delay, though. But again, it was the right thing to do. You can fault someone for delaying a notification, but it’s a gray area when it comes to criticizing someone for not finding out sooner about an issue).
PS – Oh, yeah. Some people commented that it’s not just the right thing to do, it’s the law in Nevada. Of course. How could I forget? I’ve blogged about it before. For example, what does NRS 603A require and do non-profits have to follow Nevada’s privacy and encryption law? (Answer: yes.)
Related Articles and Sites: