Shostack + Friends Blog Archive

 

Cornell, 900 SSNs, "breach"

Cornell employees this past summer discovered a security breach on a computer that contained personal information, such as names, addresses, social security numbers and bank names and account numbers. After conducting an analysis of the breach, Cornell Information Technology (CIT) did not find evidence that any information stored on the computer had been inappropriately accessed.

Early last month, the University notified the 900 individuals whose data was stored on that computer.

From the Cornell Daily Sun, “Security Breach Found in Archive.” [link to http://www.cornellsun.com/vnews/display.v/ART/2005/12/02/438fe96922dee no longer works] Cornell was quite selfish in keeping the knowledge secret, rather than notifying their customers:

Simeon Moss, Cornell’s press office director, said that those individuals who had information stored on the computer were not initially contacted when the problem was detected, because CIT wanted to make sure the security breach was analyzed properly — a time consuming and work intensive process.

“It takes time to determine and verify the exact nature of the problem,” he said. “Then it takes time to analyze and determine the extent of the incident and its true risk. And finally, it takes time to determine who needs to be notified and with what information. That communication needs to be coordinated with appropriate offices on campus in order to be consistent and accurate.”

So Mr. Moss, why does all of that takes months? The victims of your failure to secure your computers should have been taking what small measures they could months ago. What happened is that your institution lost control of data it demanded. How and why that happened, while interesting, is not really all that important to the victims.

One comment on "Cornell, 900 SSNs, "breach""

Comments are closed.