On July 17 of this year, hackers breached the University of Delaware’s computer network that allowed the confidential data of more than 70,000 current and former employees to fall into the hands of cyber criminals.
U of D officials told media that there was no indication that any protected health information, personal financial information or Social Security numbers were compromised.
Later that month, someone hacked the computer system at Stanford University and later claimed on Twitter to have gained access to and downloaded all of that university’s data.
And in 2008, a 20-year-old Carleton University student faced criminal charges after a hacker accessed the electronic accounts of 32 students. In that case, claims of a breach of security in the university’s electronic system came to light after a letter was sent to university officials with a list of the students’ accounts and their passwords.
The writer, who used a pseudonym, claimed he had easily broken into the accounts using a program that captured computer keystrokes.
When it come to these kinds of hacker attacks, there is a very real threat that private student information may have been viewed and downloaded, and it’s incumbent upon universities to treat each situation seriously. Accessing other people’s information without authorization is illegal and carries some hefty criminal penalties.
That’s why we have some concern with comments made by Brandon University president Deborah Poff who on Wednesday chose to belittle the rightful concerns of university students and those who had merely applied to the institution but never attended BU.
As we reported yesterday, names, addresses, birth dates and social insurance numbers were some of the pieces of information a computer hacker gained access to after at least one of BU’s servers was infiltrated.
BU officials only got proof of the hack on Oct. 14, thanks to an email from the individual who illegally gained access to a server that contained a number of what Poff called web-based student applications, for an unknown period of time. She said the university had been using the database to develop an online web application so prospective students could apply online.
While some of the information contained in the application was dummy data, other information had been pulled from people who had previously applied to the university between 2004 and 2009. The majority of the information accessed, according to Poff, was from people who applied to BU, but never attended school in Brandon.
A private company is now combing through the entire system, compiling a comprehensive audit that could potentially reveal more breaches on more servers.
As a result of this situation, Brandon University faces some troubling questions regarding how the university handled the hacking ordeal, and the university’s use of real information gleaned from prior student applications.
By law, the university didn’t actually have to reveal the breach to students so we give BU credit for doing so. But as third-year student Joe Dauphinais said, we wonder why university staff waited four days before coming clean after shutting down the system to contain the breach.
We also find it difficult to understand why these applications required real data in the first place. Why could they not have created an entire set of randomly generated data rather than rely on actual data that was acquired by the university through an application process? In this case, BU was still storing information about applications from nine years ago.
“It begs the question: how much of that information still needs to be retained?” Pitblado Law privacy lawyer Brian Bowman told the Sun.
While Bowman also said there could be legitimate reasons why the school kept the information and chose to use it in the creation of an in-house application, we believe it would be difficult to convince applicants of that assertion.
It should be troubling for any university applicant to know that an institution would keep such private information unnecessarily stored in its computers, and then allow it to be used for experimental online programs — even if they weren’t hacked into by unknown persons.
When asked by the Sun if former applicants had been made aware that their information was being used in application development, Poff became highly defensive with a Sun reporter.
“I’m not going to answer that ... nor do I think it helps this university right now, hypothesizing about what someone might have thought about nine years ago when they were testing a database,” she said.
When Poff was a student, she said it wouldn’t have concerned her if it was her information that had been hacked.
“I applied to at least 10 universities. Would I particularly care if Ryerson (University) told me sometime later that someone looked at my application — I don’t think it would have bothered me that much.”
To be fair, Poff and the university administration are likely under considerable stress right now as a result of this breach. But she should never have made light of the situation as she did.
If Poff is willing to post her own private information like her social insurance number, birthdate and other data on the Internet for all to see, that’s her business. But for her to imply that other people have no business being concerned, when the full extent of the breach has yet to be ascertained, just seems callous.
Republished from the Brandon Sun print edition October 25, 2013