“The University of California has suffered yet another potential data breach, this one involving the names and Social Security numbers of about 7, 000 students, faculty and staff at the San Francisco campus.
“For Sen. Diane Feinstein, D-Calif., enough is enough. She told me Tuesday that she'll introduce federal legislation within the next few days requiring encryption of all data stored for commercial purposes.
“This latest incident involving UCSF follows news that UC Berkeley lost control of personal info for nearly 100,000 grad students, alumni and applicants last month when a laptop computer was stolen from an unlocked campus office.
“It also follows a flurry of other security lapses, including San Francisco's Wells Fargo, the nation's fourth-largest bank, experiencing no fewer than three data breaches due to stolen computers over the past year and a half.”
Senator Feinstein said, “What this shows is that there is enormous sloppy handling of personal data.”
It seems to me the question of whether the personal information was handled sloppily or tidily is just part of the problem. I'm equally bothered by the information being there in the first place. How and why did it get there? Did the identified subjects agree to this usage of the information? Why were public identifiers (social security numbers) kept for private individuals? Once these questions are answered, we can turn to operational issues: why the information appeared on a test machine, and why a test machine was deployed with no firewall.
All of this is so far a disturbing mystery. There should be a public investigation of the circumstances through which this breach (and all like it) came about. We need to understand what was going on in the heads of the people who put the data on the compromised machine. The best practice is not to store unnecessary information, and not to store it in unnecessary places. What were these guys thinking about? We need to build peoples’ understanding of the underlying issues.
I expect this information disaster came about by breaking four identity laws at once. What a run!
Were users in control of what their information was being employed for? Were they told where and how it was being used (law of user control)?
Was there really a need to store social security numbers rather than some local or derived identifier (law of minimal information, law of directional identity)?
Would the identified subjects see a “test machine” as a legitimate party to their identity relationship with the university (law of fewest parties)?
Encryption is a good idea but will probably lead to a false sense of confidence and further breaches. We need a more holistic solution.
One final comment. We should give UCSF's forensic staff credit for detecting the breach:
In UCSF's case, campus techies noticed in late February that a server used in part by the university's accounting and personnel departments was generating an unusually high level of network activity.
I'm willing to bet things like this are happening almost everywhere and almost every day – but that most institutions don't have the mechanisms in place to detect what is going on.