[ISN] Public Safety reports computer security breach

[InfoSec News]

http://www.udel.edu/PR/UDaily/2006/may/breach052306.html

May 23, 2006

A recent security breach involving a University of Delaware Department
of Public Safety computer server has resulted in the possible exposure
of names, Social Security Numbers and driver's license numbers.

James J. Flatley, UD director of public safety, said the breach
consisted of an intrusion into the server that hosts the department's
main records management system.

It appears that the intruders were interested in copying at least some
of the information in the database, Flatley said, and therefore it is
possible that information that could lead to identity theft is in the
hands of an unauthorized person.

Flatley said the security breach was discovered April 8, and the
department immediately implemented its cyber incident response plan.  
Also, the department is conducting a full criminal investigation of
the incident that involves the Delaware State Police and the FBI.

The University's policy is to notify all individuals if their personal
information may have been compromised following such incidents, and a
letter has been sent to everyone whose personal information may have
been compromised. The letters inform them of the breach and share
information on how to combat identity theft. It is unknown whether any
personal information was actually acquired in this case.

In all, 1,076 letters have been sent, Flatley said.

Individuals with concerns about identity theft may visit a special web
site prepared by Information Technologies at
[www.udel.edu/security/identitytheft.html].

UD's Office of Information Technologies has conducted a campuswide
campaign to help departments protect sensitive personal nonpublic
information (PNPI), such as Social Security and credit card numbers.  
Every University department was visited and advised about proper
security for stored PNPI.

Information Technologies staff also stressed collecting such
information only when required and reiterated the responsibility of
each employee to follow UD policy, Delaware laws and federal laws and
regulations for the processing and safekeeping of confidential,
personal information.

"In every department, those individuals who are responsible for
maintaining records must understand that they are responsible for
assuring compliance with the Family Educational Rights and Privacy Act
(FERPA) and other laws that govern the use of PNPI," Susan Foster,
vice president for information technologies, said.

"This includes not only the proper use of PNPI but the responsibility
to secure systems in which it resides," she said.

Although the University has moved away from using Social Security
Numbers as identifiers, some older databases that University
departments and units set up in the past may still have such
information.

Information Technologies has posted guidelines aimed at helping
departments secure PNPI and make sure they are in compliance with the
University policy and the law. Those can be found at
[www.udel.edu/ssn/guid.html].

The guidelines direct departments to ensure the privacy of PNPI by
encrypting electronic transmissions, not storing PNPI locally and
protecting PNPI when working from home or outside the University.

Members of the University community with questions about uses of PNPI
should call the Information Technologies Help Center at (302) 831-6000
or send email to [consult at udel.edu].

Additional information is available at these sites:

 Protecting Personal Non-Public Information [www.udel.edu/ssn/]; 
 UD Computer Security [www.udel.edu/security/]; and 
 Responsible Computing: A Manual for Staff 
 [www.udel.edu/ecce/staff.htm].