Presentation on theme: "Breach Database Purpose of Our Session: - present examples of breaches in the educational area - identify the impact of privacy breaches - use the breach."— Presentation transcript:
The Database - Consists of some 32 examples of education related privacy breaches categorized into 7 areas - Internet links for each breach allow for a review of the specific breach and required action on the part of the institution - Additional resources and external links conclude the database - Individual breaches can be examined to highlight the specific nature of a privacy breach Education Focused - Privacy Breach Database:
The Database Hackers Compromise 160,000 Student Healthcare Records at Berkeley, Mills College http://www.securitymanagement.com/news/hackers-compromise-160000- student-healthcare-records-berkeley-mills-college-005621 Hackers Steal Information for Over 70,000 Students/Alumni from Brock University http://www.cbc.ca/technology/story/2006/10/12/tech-brock.html Southern Connecticut State University Servers Compromised by Spam Operation Potentially Exposing the Data of 11,000 Students http://www.pcworld.com/businesscenter/article/145087/after_web_deface ment_university_warns_of_data_breach.html Malicious Computer Data Breaches:
The Database Austin University Student Hacks in his School’s Computer System, Accessing Over 50,000 Social Security Numbers & Other Data http://www.msnbc.msn.com/id/9239576/ Potentially 400,000 Student Records Breached When San Diego University Server Is Infiltrated http://attrition.org/dataloss/2004/03/sdsu01.html Malicious Computer Data Breaches:
The Database Faculty Member at an Ohio University Accidentally Places Social Security & Grade Report Online – Data is Public for Over 3 Years before Being Noticed http://www.miami.muohio.edu/documents_and_policies/privacyhelp.cfm A City College in Edmonton Accidentally Makes Student Data Available Online – Data Included Credit Cards, SIN Numbers, Signatures, Etc. http://attrition.org/dataloss/2007/10/macewan01.html Student Aid Records for 90 Individuals in Newfoundland were Publicly Exposed Due to a Security Hole in an Online Database http://www.cbc.ca/consumer/story/2008/09/08/student-breach-data.html Hundreds of McGill Student Academic Records Accidentally Made Public on School Website http://www.cbc.ca/canada/montreal/story/2007/04/27/mcgill-privacy.html Accidental Computer Data Breaches:
The Database Teacher in Manchester, England Accidentally E-Mails Attachment with Student & Employee Data to Hundreds of Other Students & Employees http://www.vbsnet.com/news/2009/04/30/ico-acts-on-student-privacy- breach.html Four University of Texas Professors Accidentally Posted the Private Data of Thousands of Student Online http://www.woai.com/content/news/newslinks/story/U-T-Students- Personal-Information-Accidentally/VQQrtNfAc0WcWgWzVtMU1g.cspx Ryerson University Software Glitch Accidentally Posts Student Data Online – Issue Not Correct for Weeks after the School was Informed of the Breach http://www.itworldcanada.com/news/ryerson-privacy-breach-highlights- immature-it-analyst-says/109118 Western University Exposes the Data of Over 1,000 Graduate Students - Data was Posted on an Unsecured Portion of Western’s Website http://communications.uwo.ca/com/western_news/stories/western_apolog izes_for_privacy_breach_20051027434109/ Accidental Computer Data Breaches:
The Database Laptop with the Data of Over 98,000 Students Stolen from the Graduate Admissions Office of Berkeley University http://www.channelregister.co.uk/2005/09/16/berkeley_laptop_theft_arrest/ Newfoundland School Board Found in Violation of Privacy Laws After Stolen Laptop Exposed the Records of 28,000 Students http://www.cbc.ca/canada/newfoundland-labrador/story/2008/07/25/school- theft-privacy.html Entire Student Roll at College in Nassau New York Stolen from Administrative Office – Over 21,000 Students Affected http://attrition.org/dataloss/2006/12/nassau01.html Two University of Alberta Hospital Laptops Stolen – Over 300,000 Affected http://www.cbc.ca/canada/edmonton/story/2009/06/24/edmonton-laptop- theft.html Malicious Physical Document & Data Breaches:
The Database Sensitive Student Information Found Along Road from Nashville, TN High School (Video Report Included) http://www.wsmv.com/news/18966430/detail.html Keller, TX High School Mails Incorrectly Addressed Private Data to Hundreds of Students http://datalossdb.org/archives/1099/2121/index.txt New York City School Accidentally Leaves 12 Boxes of Student Records on Curb http://query.nytimes.com/gst/fullpage.html?res=9F0DE4DD143EF937A1575 2C1A9629C8B63 Tennessee State University Employee Misplaces Flash Drive with Social Security Data Of Over 9,000 Students http://www.wsmv.com/education/17464384/detail.html Accidental Physical Document & Data Breaches:
The Database College Student Data Intended to be Shredded is Discovered Off-Campus http://attrition.org/dataloss/2005/08/and01.html Hard Drive at Colorado University Goes Missing – Potentially Exposing 15,790 Students http://www.jrrobertssecurity.com/security-news/security-crime- news0028.htm Accidental Physical Document & Data Breaches:
The Database Story about Teacher in Quebec Negatively Affected by Cell Phone Video of Her Posted on YouTube by Students http://www.cbc.ca/canada/ottawa/story/2006/11/24/you-tube.html Stanford University Fights for Privacy Rights of Student Pictures Posted Online http://www.sfgate.com/cgi- in/article.cgi?f=/c/a/1999/09/23/MN55114.DTL&type=printable Article on Benefits and Perils of Video Cameras on School Buses http://www.westmountexaminer.com/article-cp80346034-School-buses- may-be-wired-for-surveillance-privacy-experts-warn-of-perils.html Visual Privacy:
The Database English Newspaper is Censured for Posting Student Photos Online Without Permission http://www.timesonline.co.uk/tol/news/uk/article2260869.ece Article on the Quebec Student Known as the “Light-Sabre Kid” http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20090318/online_pri vacy_090318/20090318?hub=SciTech Visual Privacy:
The Database City of Regina Accidentally Gives Out Extraneous Data to Outside Researchers Exposing Thousands http://www.cbc.ca/canada/saskatchewan/story/2009/02/11/regina- information.html YouTube and Viacom Agree to Mask Viewer Data http://www.usatoday.com/tech/products/2008-07-15-2584242500_x.htm Anonymous Information:
The Database An Article on Google, Lakehead University and Their Connection to the U.S. Patriot Act http://www.theglobeandmail.com/news/technology/article675014.ece CBC Article on Health Records Vs. The Patriot Act http://www.cbc.ca/health/story/2008/05/05/fhealth-digitalrecords.html Data Storage Locations:
The Database “Data Loss Database” Searchable Database of over 2,500 privacy breaches from across the world, affecting almost 5 million records. http://datalossdb.org Additional Resources:
The Database Privacy Rights Clearinghouse Chronological Database of Hundreds of Privacy Breaches http://www.privacyrights.org/ar/ChronDataBreaches.htm Additional Resources: IPC Information and Privacy Commissioner of Ontario http://www.ipc.on.ca
Media Reports excerpt: January 28th is Data Privacy Day around the world, a day dedicated to raising awareness about protecting personal information, especially online. The article contains a list of the major data privacy issues today, according to the privacy commissioner's office. This is a short sample: - New technologies emerge daily, but often personal information is required to use them. Consider how much information you have handed over to play online games, join social networks or even shop online. And what happens if the information ends up in the wrong hands? - Watch out for fraudulent e-mails, be on guard against phishing -- lying about the real reasons someone is data mining -- and much more. Hamilton Spectator - Jan.28, 2010 http://www.thespec.com/ article/713274
Media Reports “Privacy czar launches investigation over personal-settings tool” Privacy commissioner Jennifer Stoddart said yesterday the complaint focuses on a personal-settings tool introduced by Facebook last month. The complainant alleges new default settings would have exposed his information to a greater degree than settings he had previously put in place. Elizabeth Denham, the assistant privacy commissioner, said in a news release the grievance echoes other concerns expressed in recent months. "Some Facebook users are disappointed by certain changes being made to the site -- changes that were supposed to strengthen their privacy and the protection of their personal information." Hamilton Spectator - Jan.28, 2010 http://www.thespec.com/ article/713275
Identity Theft “Identity Theft is much more than credit & debit card skimming. It is the unauthorized collection and fraudulent use of someone else’s personal information.” Hamilton Police Department Definition
- Thief obtains a credit card in victim’s name using personal information. - Thief calls victim’s credit card company and pretending to be the victim. - Thief changes the address on victim’s credit card account. In this instance victim may not know of theft for quit some time. - Thief obtains a cell phone account in victim’s name using stolen identification. - Thief opens a bank account in victim’s name using stolen identification. - Thief steals credit or debit card information from victim’s card. The thief then manufactures a forged card and attacks victim’s account. Types of Identity Theft: Identity Theft
- Identity theft, skimming and other crimes related to criminals getting your personal information is the fastest growing and costliest consumer crime in North America - Identity theft crimes have grown 100% every year since 1997, the year that this type of crime began to be taken seriously - In 2003 (the most recent year stats were available), identity theft cost the Canadian Economy 2.5 billion dollars, and has only risen from there - Canadians have a 1 in 10 to 1 in 20 chance of being victimized by Identity Theft in their lifetime. By comparison, your chance of being physically victimized (via assault, robbery, etc.) in your lifetime is much less than 1 in 100. Some Facts about Identity Theft: Identity Theft Source: Hamilton Police Dept.
- Place passwords on your credit and debit cards and change these often. Avoid using easily available information, ie: birthdate and phone numbers as your password. - Secure personal information in your home. - Don’t give personal information out over the phone, through the mail or over the internet, unless you initiate the contact. - Guard your mail and your trash from theft. Deposit outgoing mail at the post office or secure box instead of an unsecured mailbox. Remove mail from your mailbox promptly. Put your mail on hold if you are going to be away. Law Enforcement Suggestions on How To Avoid Identity Theft: Identity Theft Source: Hamilton Police Dept.
- Shred all mail and paperwork that contains personal information. -Do not carry your SIN card on your person; keep it in a safe place. This should also be so for any identification not needed on a daily basis. - When using you debit or credit card always keep it in your view, watch the clerk as they process your card and always protect you PIN. Law Enforcement Suggestions on How To Avoid Identity Theft: Identity Theft Source: Hamilton Police Dept.
- Select a data base item from the one of the 7 areas - Connect to the internet through the link - Printed examples will be used in the workshop - Review with staff the event, nature of the breach and type of information compromised by this breach - Pose the following questions for discussion: a) Was the information of a nature that could compromise the identity of the individual? b) Could the information be used for malicious purposes? c) Are there legal implications for our organization due to the loss of this data? d) Have we followed the necessary steps to inform the parties of the loss of this information? e) Have we done or can we do anything to re-secure this information Teacher In-service Using the Breach Database Using The Database
Now It’s Your Turn: Using The Database Create a group for discussion purposes: Your board team, or a group of 5 or 6 1)Select a breach from the database. 2)Review the breach on the internet or use one of the printed examples. 3)Pose the questions. 4)Be prepared to report your discussion (20 minutes). 5)Each teams reports will be posted.
Best Practices to Prevent Breaches: Using The Database Resources available for use in teacher in-service: - Privacy videos found on the London region MISA website www.misalondon.ca - Teacher videos - Administration and Central Staff videos (Principals) - I.T. Videos - MISA Breach database found in pdf. format on the MISA website resources - PIM Guidelines
Physical Document & Data Protection for Teachers PIM Videos Click image to stream video in Media Player. Or visit the link below: http://misalondon.ca/teacher_videos06.html
Digital Data Protection for Admin/Staff Click image to stream video in Media Player. Or visit the link below: http://misalondon.ca/teacher_videos02.html PIM Videos
Discussion Questions for Teachers Physical Document & Data Video: 1. Is there a clear purpose for each type of personal information that I collect, use, retain, or disclose? 2. Do I know when it is appropriate to destroy personal, confidential, or sensitive information? When destroying such information, do I place it in the appropriate shredding bins? 3. Are Ontario Student Records (OSR) and Office Index Cards securely stored in the main office of the school and are only accessible by authorized personnel in the main office of the school. 4. Do I ensure that information about a student(s) is shared only with other staff in the school who are assigned to work with the student(s), and only as needed to improve the education of the student(s). PIM Videos
Discussion Questions for Admin/Staff Digital Data Protection Video: 1. Have I safeguarded all electronic personal information records maintained in password-protected databases? 2. Do I refrain from storing personal, confidential, or sensitive information on a Shared Network Drive? 3. Do I immediately pick up any personal, confidential, or sensitive records sent to printer or photocopier or received by fax? 4. Before sending personal, confidential, or sensitive information via email, have I considered taking precautions such as removing personal information? continued... PIM Videos
Discussion Questions for Admin/Staff Digital Data Protection Video: 5. Are computer access rights reviewed and updated regularly to ensure that I do not have access to personal information that I do not need to perform my duties and responsibilities? 6. Am I following the procedures in place for safeguarding personal information on laptops, memory sticks, personal digital assistants (PDAs, e.g., BlackBerry devices), etc.? 7. Do I sometimes share passwords with others? If so, do I immediately change my password afterwards? PIM Videos