On June 5, servers in Electronic Student Services at Western were compromised. Social Security Numbers, credit card numbers, and other personal information for up to 240,000 current and former students may have been copied.
Frankly, the university response has been embarrassing. Notifications were not sent out until June 14, and at the time very little information was provided. Details weren’t provided until June 16—and the press was notified before WIU students and employees. All in all, the response has been much more oriented towards public relations than timely notification of those whose Social Security Numbers may have been duplicated. The University is clearly more interested in covering its ass and public image than actually cleaning up after the incident.
The incident and the pathetic response raise some serious questions:
- Why the hell does WIU need Social Security Numbers on more than one server? We use ID numbers instead of SSNs; the latter need only be recorded one time for transactions with government agencies. Financial aid folks need access to this data. But who else?
- Why are servers which handle credit card transactions—arguably targets for crackers—housing other sensitive data?
- Why are these machines on the public internet, anyway, and not private IP?
- What other vulnerabilities at Western are waiting to be exploited—or have been exploited without notification and knowledge?
- Why does the press get to know details of the incident before those affected?
- How am I supposed to encourage faculty to use network services if they can’t be assured of student privacy and security?
The lack of response is emblematic of the attitude WIU IT decision-makers take toward users. We are the last to find out about anything. We have little or no decision-making power. Our needs are much less important than the preservation of the status quo. I say this not just because of this recent incident, but because it’s been a pattern since I started at Western.
And I have to say I saw this coming. As of today, WIU servers are still running software with known vulnerabilities. Plain-text logins are still permitted for telnet, ftp, and mail (in fact, secure authentication for IMAP is not even supported).
Some people need to be fired, and I’m not talking about a system administrator or two. I mean the “leadership” who allowed this to occur. This incident was 100% preventable, and we need radical change to ensure it won’t happen again. We need to crush the system-centered culture that dominates IT at WIU—no matter how many firings it takes. Faculty need to be much more heavily involved in policy-making. We need to be making decisions about how IT works at Western—not career bureaucrats with a bunch of Microsoft-supplied letters after their names.