Posted by Kalyani M. on Oct 2, 2013
Several institutions of higher learning have been experiencing security breaches lately. Every other day, it seems, there is some news about information being accessed illegally from the servers of well-known universities and colleges. Last week Virginia Tech announced that one of their servers in the Human Resource department was illegally accessed. The server contained private and sensitive information of about 145,000 job applicants. And the sad part is that the leak could have been easily prevented. As per the university’s Associate Vice President for University Relations, Lawrence Hincker, the server was placed in service without proper cyber-protection protocols. This security loophole allowed the hacker to get into the system. A minor oversight allowed somebody to access such confidential information of so many people.
This data breach exposed personal information like name, address, employment history, education history and prior convictions of job applicants from 2003 to present. So anyone who has applied for a job using the online system at Virginia tech within this time frame had some data exposed. Although some of the key personal data like SSN and date of birth were not affected in this process, the hacker did have access to the driver’s license of thousands of job applicants. The university’s breach statement states, “the online application does ask applicants to “indicate your professional licenses, certificates, or other authorizations to practice a trade or profession”. In response to that question, 16,642 of the 144,963 job applicants had provided their drivers license number.
Let’s focus on what led to such an attack. The minor issue that left the server vulnerable for hours was a weak password setting. The Administrator account password was not strong enough, and did not follow VT’s password strength rules. Therefore, it was easy for the hackers to guess and crack the password. The University came to know about the data leak hours later when it was alerted that its computers were making password probes on another person or company. In response to the attack, the security team at VT immediately disconnected the system from the network and constantly monitored the network using cybersecurity monitors to trace the path of attack. After a thorough analysis and monitoring it was concluded that the attacks came from a server in Italy and accessed personally identifying information of thousands of job applicants. The University has taken significant action in this regard by providing identity insurance and access to a credit monitoring service for a year to individuals whose driver license numbers were accessible during the breach.
Computerworld states that “Statistics maintained by Privacy Rights Clearinghouse shows that through Sept. 24, there have been 29 breaches involving about 371,137 records at educational institutions around the country. In contrast, universities reported a total of 85 breaches involving over 1.7 million data records in 2012”. Here are some of the lessons learnt from these security breaches:
SpiderOak Blue for Enterprises:
Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space.
SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.