Thursday, February 20, 2014

University of Maryland data breach

Unfortunately, the University of Maryland has the dubious privilege of listing itself  among data breach victims. A message posted to the University's web site notifies the public of some 300,000 records containing private information that have been breached.

I am not going to speculate about the root cause of the breach, but I am hopeful that more details will become available as time progresses. The fact that there is an active law enforcement investigation does not help in obtaining transparency though.

The message itself did contain a lot of good information. Enough that I want to highlight some of it here:

"Last evening, I was notified [...] that the University of Maryland was the victim of a sophisticated computer security attack that exposed records containing personal information. "
The fact that the notification went out less than 24 hours after their president was informed is telling. It could mean that relevant information did not trickle up fast enough, or that the institution either has a very well developed incident response plan and/or very strong senior leadership. Assuming it is the latter, such fast notification deserves compliments. Publicly acknowledging a data breach in less than 24 hours after the top-level official is aware is commendable.
"A specific database of records [...] was breached yesterday."
Detecting a data breach in less than 24 hours is a fantastic job. Although it must have been a really bad day for their security team, their analysts can be proud of a job well done.
"That database contained 309,079 records of faculty, staff, students and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised -- no financial, academic, health, or contact (phone, address) information."
This is extremely detailed and definitive information. It appears that the institution has a good grasp of the data that is in their custody, and that they were able to pull these numbers together very quickly. While it may appear trivial to do so, it is often a very complex thing to do in an enterprise environment.
"The University is offering one year of free credit monitoring to all affected persons. Additional information will be communicated within the next 24 hours on how to activate this service."
The credit monitoring deal is more or less expected these days. What is notable is that, again, there is a strong commitment by the leadership to be unambiguous and (very) timely. The phrase clearly states what will happen, and when it will happen by.

They continue with a warning that is very appropriate:
"University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information."
Having this amount of personal information breaches will, most likely, to targeted phishing attacks, if nothing else. Including this warning might not help all that much, but at least they tried! The fact that they limit the warning to email communication is a little troubling though.
"We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will. "
For a public statement by person in a senior leadership position to distinguish engineers and analysts is something we also do not see all that often. Engineers build, and should be involved in any and all software development, adoption, or usage decision making. Analysts monitor for signs of trouble and investigate alarms. Both roles are important and should not be confused.

"Recently" is not further quantified, so we really cannot tell much from that aspect of the statement.

Finally,
"Again, I regret this breach of our computer and data systems. We are doing everything possible to protect any personal information that may be compromised."
The statement owns the fact that something bad happened. It does not try to cover up, minimize, or even deny that something unfortunate has happened. It also speaks of a commitment to minimize the impact of the damage that has been done.

All in all, I feel sorry for the University of Maryland that they have to go through this, but their initial response to the breach seems to be commendable, and is a sign of strong leadership in a time of crisis.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.