Interesting.

ESI is running an article about a potential information disclosure at Southern Connecticut State University.

Southern Connecticut State University has alerted current and former
students after a review of a university web site discovered a
vulnerability that could have allowed an unauthorized individual access
to personal information. During a recent review of a web server, the
university discovered that unauthorized individuals could have had
access to applications for graduation dating back to 2002.
Source: ESI press release

What I find interesting in this is that the university chose to notify students, while there does not seem to be proof of a disclosure, just a vulnerability that could potentially have been abused. All affected students (past and current) are offered two years of credit watch.


Even if a vulnerability was exploited on a server that also contained that information, notification might not be required:

Connecticut breach notification law states:

Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security.
Source: CT notification law
The next question becomes: when is it reasonably believed to have been accessed? Most compromised web applications that I have seen were exploited for defacement, to host malware, or to host other illegal content. Hardly ever were they used to go after other data that is stored on them. This is especially the case for Universities, who are typically on high-bandwidth pipes.

What is the implication for other institutions if it becomes common practice to notify when a vulnerability has been identified, without there being any signs of an actual breach? While it commendable that Southern State University is taking such a transparent and pro-active position, the decision to do so may have been taken too quickly.

It is same to assume that at least half of all web application that are currently in use have some form of vulnerability in them. If all organizations that deploy such applications have to start notifying their users that program may contain vulnerabilities that could be exploited to possibly gain unauthorized access to information, we might as well pull the plug and sit in our corners until we learn to develop applications that are 100% secure. I do not see that happening any time soon.

I am a very big advocate of privacy and due care. However, I cannot help but feel that this notification is a bit premature. I would also be very interested to see if any research has been done to find out how many times people that have been put on credit watch after a breach have actually become a victim of identity theft, and of those victims, how many can actually be tied to the unintended disclosure.

Breach notification laws are a good thing, because they make us look after our data a lot better, but I cannot feel that we cry wolf much too often.