Virginia Tech Data Breach Reveals Private Data

Posted by on Oct 2, 2013

Password protection

Image from detroit.cbslocal.com

Several institutions of higher learning have been experiencing security breaches lately. Every other day, it seems,  there is some news about information being accessed illegally from the servers of well-known universities and colleges. Last week Virginia Tech announced that one of their servers in the Human Resource department was illegally accessed. The server contained private and sensitive information of about 145,000 job applicants. And the sad part is that the leak could have been easily prevented. As per the university’s Associate Vice President for University Relations, Lawrence Hincker, the server was placed in service without proper cyber-protection protocols. This security loophole allowed the hacker to get into the system. A minor oversight allowed somebody to access such confidential information of so many people.

This data breach exposed personal information like name, address, employment history, education history and prior convictions of job applicants from 2003 to present. So anyone who has applied for a job using the online system at Virginia tech within this time frame had some data exposed. Although some of the key personal data like SSN and date of birth were not affected in this process, the hacker did have access to the driver’s license of thousands of job applicants. The university’s breach statement states, “the online application does ask applicants to “indicate your professional licenses, certificates, or other authorizations to practice a trade or profession”. In response to that question, 16,642 of the 144,963 job applicants had provided their drivers license number.


Identity theft

Image from http://sugarbabydaily.files.wordpress.com


Let’s focus on what led to such an attack. The minor issue that left the server vulnerable for hours was a weak password setting. The Administrator account password was not strong enough, and did not follow VT’s password strength rules. Therefore, it was easy for the hackers to guess and crack the password. The University came to know about the data leak hours later when it was alerted that its computers were making password probes on another person or company. In response to the attack, the security team at VT immediately disconnected the system from the network and constantly monitored the network using cybersecurity monitors to trace the path of attack. After a thorough analysis and monitoring it was concluded that the attacks came from a server in Italy and accessed personally identifying information of thousands of job applicants. The University has taken significant action in this regard by providing identity insurance and access to a credit monitoring service for a year to individuals whose driver license numbers were accessible during the breach.



Image from publicpolicy.telefonica.com


Computerworld states that “Statistics maintained by Privacy Rights Clearinghouse shows that through Sept. 24, there have been 29 breaches involving about 371,137 records at educational institutions around the country. In contrast, universities reported a total of 85 breaches involving over 1.7 million data records in 2012”. Here are some of the lessons learnt from these security breaches:

  • Use strong passwords:Password cracking is a very common security attack. In order to crack a password you need encrypted password file and encryption algorithm. Two common methods that are used to crack passwords are “Brute force attack” and “Dictionary attack”. The attacker uses a combination of known passwords or possible decryption keys to guess your password. You can avoid password cracking by using large and complex passwords (at least 8-digits long and combination of letters, numbers and special characters), and changing them after a specified period (30 or 90 days).
  •  Do not collect or store unneeded information on your servers: Only collect and store data on your database server that is required. Get rid of the unnecessary information. Personal information related to SSN, credit card or driver’s license should not be collected unless it is extremely needed. Referring back to the Virginia tech incident, there was no need of storing the personal data of all the job applicants on the University servers for such a long time. They only needed to store and secure the personal identifying information of employees they hire. Similarly, it is not at all necessary to provide driver’s license information while applying to a job online.
  •  Follow your organization’s security policy and procedures: Strictly follow your organization’s security policies and procedures to maintain data privacy and confidentiality. Companies must develop security guidelines to sort through the requirements, develop processes for handling data, and design applications that include appropriate safeguards, such as encryption and restricted access, for each location.
  •  Encrypt stored and backup data: Use strong encryption standards to protect stored and backup data. AES cryptographic algorithm using 256 bit keys should be used to encrypt sensitive information. Covered data transmitted over email should be secured using strong email encryption like PGP or S/MIME.
  • Enable security controls: Use strong network protocols like Secure Socket Layer (SSL) or Transport Layer      Security (TLS) to secure data in transit. Below is a list of insecure network protocol with their secured alternatives:


Important keys for protection

Image from security.berkeley.edu


  • Update and maintain security patches: The security patches should be kept current and should be updated in regular intervals. This is one area where administrators fall short and which subsequently leads to data breaches. Websites that are rich in third party applications, widgets, plug-ins and add-ons are extremely vulnerable to cyber attacks and needs to be patched frequently.
  • Be careful in sharing your information: The HR department of any organization is usually responsible for handling sensitive data with people inside and outside of the organization. This sharing of information often leads to data leaks. To prevent such leaks use automatic encryption and multilayered protection. These techniques will safeguard any electronically transmitted data.


SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

Leave a Reply