WIU security breach

On June 5, servers in Electronic Student Services at Western were compromised. Social Security Numbers, credit card numbers, and other personal information for up to 240,000 current and former students may have been copied.

Frankly, the university response has been embarrassing. Notifications were not sent out until June 14, and at the time very little information was provided. Details weren’t provided until June 16—and the press was notified before WIU students and employees. All in all, the response has been much more oriented towards public relations than timely notification of those whose Social Security Numbers may have been duplicated. The University is clearly more interested in covering its ass and public image than actually cleaning up after the incident.

The incident and the pathetic response raise some serious questions:

  • Why the hell does WIU need Social Security Numbers on more than one server? We use ID numbers instead of SSNs; the latter need only be recorded one time for transactions with government agencies. Financial aid folks need access to this data. But who else?
  • Why are servers which handle credit card transactions—arguably targets for crackers—housing other sensitive data?
  • Why are these machines on the public internet, anyway, and not private IP?
  • What other vulnerabilities at Western are waiting to be exploited—or have been exploited without notification and knowledge?
  • Why does the press get to know details of the incident before those affected?
  • How am I supposed to encourage faculty to use network services if they can’t be assured of student privacy and security?

The lack of response is emblematic of the attitude WIU IT decision-makers take toward users. We are the last to find out about anything. We have little or no decision-making power. Our needs are much less important than the preservation of the status quo. I say this not just because of this recent incident, but because it’s been a pattern since I started at Western.

And I have to say I saw this coming. As of today, WIU servers are still running software with known vulnerabilities. Plain-text logins are still permitted for telnet, ftp, and mail (in fact, secure authentication for IMAP is not even supported).

Some people need to be fired, and I’m not talking about a system administrator or two. I mean the “leadership” who allowed this to occur. This incident was 100% preventable, and we need radical change to ensure it won’t happen again. We need to crush the system-centered culture that dominates IT at WIU—no matter how many firings it takes. Faculty need to be much more heavily involved in policy-making. We need to be making decisions about how IT works at Western—not career bureaucrats with a bunch of Microsoft-supplied letters after their names.

This entry was posted in Nerdliness. Bookmark the permalink.

7 Responses to WIU security breach

  1. Jonathan says:

    That’s bad news. But doesn’t this culture exist, to some degree at least, at every university? I haven’t, sadly, contributed anything to the OS working group; but, even in my limited experience, I can see that IT-dept. inertia is vast, requiring a cataclysm to halt or reverse.

  2. cbd says:

    I imagine it does. But (1) I know places where faculty are included much more than they are here; (2) the exclusion still stinks.

  3. Dean says:

    Technology at WIU has been a secretive society at WIU for years. I was doing some research for an independent resarch paper that I am writing and found that most, if not all, of the technology-related meeting minutes at WIU are not placed in the archives. The annual reports are missing as well. Information flow from technology departments to the university is very problematic.

    Unfortunately, there are differences in management styles that keep WIU from moving forward with regard to technology. Some managers may want input from faculty and staff, while others would rather have 100% control regardless. This is likley due to technology managers who may have a wealth of technology-related know how, but lack enough knowledge and experiences to exist in a cooperative environment such as higher education.

    To see the exact opposite, cruise on over to http://www.cio.uiuc.edu
    Pete Siegel, CIO of UIUC, also keeps a blog about being a CIO of a university. http://petesiegel.blogspot.com/

  4. Julie says:

    I didn’t find out about this until I got an email from the university TODAY – June 20!

    The letter to the WIU community is pathetic. How long will it take them to notify “anyone who may potentially be affected?” Give me a break.

  5. cbd says:

    Dean, I’ve been frustrated by that as well; CIT meeting minutes were once on the University web site, but have been moved or removed since I was on that committee. (Which was a joke, by the way.)

    Thanks for reminding me about Siegel’s weblog.

  6. Nick says:

    cbd,

    I’ve seen Universities do worse. I remember back in 1995-97 when Harvard (money bags central) dealt with a similar issue. Harvard covered their problem up for a long time, until the situation was leaked to reporters. Yet, Harvard’s cracker problem got very little coverage, because money keeps good secrets. When the story broke, Harvard’s crack was only mentioned in a list of cracks that had happened throughout the year: three major banks and Microsoft’s Firewall (worthless security system).

  7. cbd says:

    I’m sure universities have done worse. But many, if not most, are doing much better. I am much more comfortable with good than less bad.

Comments are closed.