Data breaches earn UH an ‘F’

A national organization has given the University of Hawaii a grade of "F" for online security breaches that exposed Social Security numbers and other sensitive information in nearly 260,000 records.

The Liberty Coalition, a nonprofit civil liberties watchdog group, yesterday said more than half of the estimated 479,000 Hawaii records breached since 2005 were those mishandled by UH.

UH officials have promised upgrades for online security procedures in recent years but have failed to act on them, the report said.

"If UH had actually implemented the policies and procedures it has already established, those policies would have prevented or substantially mitigated every single one of its subsequent breaches," the report said.

UH officials have emphasized that they have no reports that any security breaches have resulted in actual identity theft. They also say there is no evidence that any files were accessed maliciously.

The Liberty Coalition, based in Washington, D.C., also takes other state and federal agencies in Hawaii, as well nonprofits and private companies, to the woodshed for lax security.

"Although each breach event may differ slightly, Hawaii has a policy climate which does not give its citizens sufficient means to protect themselves from breaches," the study said. "If identity fraud occurs, the entire burden rests on the individual to recover."

The 479,000 breaches mean as many as one in three Hawaii residents have been victims, the study said.

UH spokeswoman Tina Shelton said the university continues to work on developing ways to guard against future breaches. State Sen. Jill Tokuda, chairwoman of the Senate Education Committee, said she will schedule a hearing to discuss improvements.

In the latest instance involving UH, revealed earlier this month, the personal information of more than 40,000 students was apparently inadvertently uploaded to the Internet by a faculty member at the UH-West Oahu campus who thought the faculty server he was using was secure. The information belonged to students who attended UH-West Oahu from 1986 to 1993, and UH-Manoa students from 1990 to 1998 and in 2001.

The information exposed included Social Security numbers, addresses, citizenship and marital status. It was posted by a now-retired Institutional Research Office faculty member on Nov. 30, 2009, and available online until Oct. 18 of this year, when the Liberty Coalition discovered the information through a Google search and informed UH officials.

UH earlier said the investigation of how the files were posted online is continuing. The faculty member, whom UH officials have not identified, received the data from the research office more than 10 years ago when Social Security numbers were the only method of verifiably identifying students. ID tracking numbers replaced Social Security numbers from 2002 to 2004.

Yesterday’s report by Aaron Titus, an attorney and privacy director for the Liberty Coalition, said he has now learned that there have been five breaches involving UH records since 2005, when such breaches were first tracked. Besides the most recent discovery, there were also record breaches in February and June this year, Titus said. Other breaches took place in June 2005 and April 2009.

Tokuda said she and Sen. Carol Fukunaga, chairman of the Senate Economic Development and Technology Committee, intend to hold an informational hearing in January on the security breaches at UH.

"They’re in the process of coming up with some comprehensive plans and protocol to ensure security is in place for all of its IT systems," Tokuda said. "We know what we know already. I think what we want to do is work on the solutions now."

Whatever solutions UH comes up with could be applied at other agencies with security breaches, she said.

Yesterday’s Liberty Coalition report was compiled at the request of state Sen. Mike Gabbard, who said one of his constituents was among those whose personal information was made public from the breach discovered last month.

"This is absolutely disturbing," Gabbard said. Lawmakers need to look at variety of possible law changes to reduce the potential for breaches, he said.

One idea is placing stiff fines on those who allow a breach, he said. On the other side, the state could also set up a compensation fund to assist those who’ve been hurt by security breaches, he said.

In a statement yesterday, Shelton said: "The board, president and chancellors recognize that improvements are necessary and that resources must be reallocated to improve IT security."

UH leadership "also recognizes that the decentralized approach to IT management that has been applied to IT security is not adequate, particularly in the current environment of severely constrained resources," she said.