Computerized records and security at IU

By Mark Bruhn, Information Technology Policy Officer, IU Office of the Vice President for Information Technology

First, while we absolutely take these incidents very seriously, it is important to put the recent releases of personal information into context. The fact is that there have been only three reported incidents of disclosures of personal information from university computers over the last five years. In only one of those incidents was it confirmed that the data was actually accessed by the perpetrator (in 1997 by a publicity hound who claimed to be a privacy advocate and who subsequently posted those records on his Web site). In the others, there was no evidence that the perpetrator did or did not access the files.

The reality is that there are literally millions of computerized records necessarily being maintained by this university, and only approximately 4,000 of those records have been exposed in those incidents. To take that one step further, administrators that have been at IU for some time do not recall any such releases over the last 20 years.

Further, I know from personal and direct interactions with colleagues elsewhere that many other universities have had many similar incidents but have chosen not to make those public or even inform the persons affected. The Social Security Administration (SSA) reports that many other institutions that rely on the Social Security Number (SSN) also experience similar accidental releases of that information, and that most of those incidents do not become public knowledge either.

So, why did these recent incidents at IU become so visible? First, because we have the infrastructure in place to recognize such incidents; and second, because IU executive administration chose to accept responsibility for the disclosures and chose to notify the individuals involved so that they could closely watch for peculiar transactions in their personal affairs. We did this even though the SSA and other recognized experts tell us that use of a stolen SSN to cause financial or other harm to an individual is the rarest form of identity theft.

Nothing I’ve said here should be construed as meaning that we think such events aren’t serious just because they happen frequently elsewhere. Indeed, since 1997, IU has put considerably more emphasis on securing systems and data than most, if not all, of the other Big Ten schools. We have the largest dedicated IT policy and security staff of any of these schools and perhaps more than any other large university in the country. Our security engineers are kept extremely busy working with systems administrators on securing their systems and databases, working with staff and students on protecting their systems from viruses and other dangers, developing security tools, providing excellent technical security resources and services, and making sure that university administration is aware of the state of security and current risks.
See: https://www.itso.iu.edu

Of course we have to recognize that we are an institution of higher education and not a government defense agency, so we must also ensure that security doesn’t unnecessarily impede scholarly activities or services that students want and need. For example, Insite, Oncourse and Web Registration are all very popular services across our campuses. Delivering these three services means that some personal data is put at risk (albeit low risk). If we were forced to eliminate instead of minimize the risk, none of these applications would have been developed.

So, why have there been three incidents in the last five years? First, because over the past five to 10 years, more data has been distributed away from central IU databases into departmental areas. In most all cases, this is done for perfectly legitimate operational reasons, and has to do with the school or department’s desire to provide new and better services to students. And, in almost all of these cases, the data is very well secured. But, obviously, more copies means more risk of accidental disclosure. The second reason for these incidents is the dramatic increase in hacker activity over the past five years, to the point where nearly every machine on our network is probed for vulnerabilities at least once every day.

We have recognized the confluence of these circumstances, and we are taking steps to reduce the amount of distributed data and to assist those departments that may not be in a position to fully secure the systems and data that they maintain. For example, all campus chancellors, deans and other senior administrators have been asked to direct their staffs to eliminate files containing student identifiers (SSNs) unless those files are critical to their campus, school or department activities and to ensure that the files they must keep are secure. My office has developed and has been distributing information about how to do this.
See: https://www.itso.iu.edu/howto/bp/ and http://www.itpo.iu.edu/BestInfo.pdf

Another university activity that will certainly help is the implementation of the new PeopleSoft student information system. This project was established and funded to replace old systems with new modern ones and not as a direct response to the security incidents. However, one of the primary benefits of this new information system is the capability to use something other than the SSN as the student and employee identifier. As components of this new system are installed, the distribution of the SSN as the student identifier will decrease to a point where the only departments that will need to use the SSN are those that must do so for legal reasons (financial aids and payroll, for example).

In the area of incident response, steps have been taken to ensure quicker reaction should disclosure of information happen again. In one of the three reported incidents, affected students were not notified for 22 days after the release of information in the IUB bursar’s office. University administration recognized that this was too long, and adjustments have been made. Indeed, the length of time to send notifications after the School of Music incident was only six days, which is the time it took to technically verify the compromise, the presence and possible disclosure of personal information, and to develop the mailing list.

In conclusion, it is important to know that while IU is unique in a lot of good ways, IU is not unique in experiencing security issues as an organization attached to and dependent on the Internet. Also, we all need to understand that while nothing is 100 percent, our goal, which we take very, very seriously, is to minimize the chances of personal and institutional information being inappropriately released.