Privacy Violations

Don Kiely blogs about a problem that the University of Alaska had with some personal data being lifted from their network. The disturbing part of this (and something that I expect is not uncommon) is that the system was sitting on a server as part of a kludge to support authentication. It likely did not get the attention it deserves. Even more important, the file uses student's SSN as the identifier, even when students had explicitly requested use of a pseudo SSN rather than their real SSN.

How many files do you have out there with data you wish was not there? Given the constant torrent of new work in most IT groups today, reviewing old vulnerabilities likely do not rise to the level that they should. What can you do about changing that where you work?

Posted by Douglas Reilly at 01:23 PM  Permalink