Duke, 9,000 partial SSNs, Hacker. (With Commentary.)
In Hacker hits Duke system [link to http://newsobserver.com/business/story/2471894p-8875992c.html no longer works], the (Charlotte? Raleigh [thanks, Neil!]) News and Observer reports on a breach at Duke University School of Medicine. The school’s “Security Incident at Duke” [link to http://medschool.duke.edu/security/ no longer works] page states:
On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke University Medical Center. None of the web sites was used for patient care.
The web sites that were accessed did NOT contain any patient data or personal financial information, such as credit card or bank account numbers. However, they did include the passwords of about 5,500 users. These passwords gave the users access to various Duke web sites. In addition, some of the compromised databases included fragments of Social Security numbers – either four or six of the nine digits – for about 9,000 users. (Emphasis Duke’s.)
What I find interesting is that the norms are changing very quickly. In January, this probably would have been swept under the rug. But all that was revealed was passwords. Many companies are lobbying like mad to not have to do this. What they don’t understand is that a new normal has emerged while they weren’t looking.
Choicepoint tried the “We notified everyone we were required to” line. It didn’t work for them. It won’t work for anyone else. So can we please get over the posturing, and admit that breaches happen?
Maybe once we do, we can start learning why they happen, and from there, start addressing root causes.
FYI, The N&O is the Raleigh paper. Charlotte’s paper is just The Charlotte Observer.
Thanks for keeping this blog up-to-date…it’s great stuff!