69
University of Hawaii alumni whose personal information was posted online without their permission should demand an independent security audit to pinpoint problems with university information technology systems, according to a privacy advocate.
In addition, legislators in Hawaii should consider a new law that would levy stiff fines for anyone who makes such disclosures, says attorney Aaron Titus, privacy director for the Liberty Coalition, sponsor of NationalIDWatch.org, which provides free identity exposure reports as a public service.
Titus told the Star-Advertiser last week: "This is the third major breach in less than a year and a half. If the university had been practicing good information policy, this breach should have not occurred."
The latest disclosure was about a faculty member at the West Oahu campus who apparently inadvertently uploaded personal information of 40,101 students to an insecure, unencrypted University of Hawaii-West Oahu website on Nov. 30, 2009.
In response, David Lassner, university vice president for informational technology, said, "The university is now considering more all-encompassing approaches to improving security throughout the UH system, which certainly could include external audits and or expert consultation."
Lassner acknowledged that past "multiple external reviews" of information technology systems on its 10 campuses have not focused on securing all computers.
As for levying fines for illegal Internet postings, Tina Shelton, UH spokeswoman, said: "The university would analyze and provide input on any specific legislation that might target the institution or its employees. We do generally support efforts to heighten awareness of Internet security issues. We agree this is vitally important."
Titus’ Washington, D.C.-based privacy policy institution discovered the breach Oct. 18 through a Google search. Titus found available online everything from a student’s Social Security number, marital status, addresses and citizenship to the highest level of education attained by parents.
On Wednesday, Titus invited university officials, UH alumni and news media to participate in a conference call to discuss the breach. UH officials declined to participate.
Shelton said: "Our focus has been and continues to be sending personal e-mails, personal letters and providing a personal help line for our students as a meaningful outreach to the individuals affected by the mistaken data posting. It was merely a higher priority than participating in another organization’s press event today."
UH-West Oahu spokesman Ryan Mielke said an ongoing internal investigation would answer many of questions still being raised and that UH has activated a hot line to help affected students.
During the conference call, several callers who said they were UH alumni asked about prosecuting anyone who released such information.
Titus said that although the FBI was contacted, no crime was committed and law enforcement officials can prosecute only someone who uses the information falsely.
The university has not released the identity of the retired faculty member, who UH officials believe did not act out of malice, but was trying to update a previous study he had done on why college students drop out.
Titus said the retiree made same the mistake as faculty members throughout the country who unwittingly upload information believed to be secure.
This was the third such security breach involving the university system since May 2009, when information on more than 15,000 students who applied for or were granted financial aid at Kapiolani Community College was compromised due to a computer infected by malware.
In May, a hacker breached the security of a UH parking office computer server that contained personal information on 53,000 people. Possibly compromised were 40,870 Social Security and 200 credit card numbers, officials said.
