1. Three recent breach notifications-
Breach 1: California State University
Date of breach: last week of December 2017
Date of realizing that a breach had occurred: January 12, 2018
Date of notifying the Attorney General: March 6, 2018
Breach 2: GreyHealth Group
Date of breach: January 26, 2018
Date of realizing that a breach had occurred: January 26, 2018
Date of notifying the Attorney General: March 1, 2018
Breach 3: Bed, Bath, and Beyond
Date of breach: November 21, 2017
Date of realizing that a breach had occurred: December 8, 2018
Date of notifying the Attorney General: February 16, 2018
———————————————————————————-
2. On studying the California State University (Fresno) breach further-
What happened:
- Last week of December 2017: Break-in occurred in the Athletic Department
- January 12, 2018: Discovered that unencrypted hard disk with employee and student information was amongst stolen items
- The hard disk contains names, contact information, SSNs, driver’s license number, financial information, and “limited” health information
- March 6, 2018: Letter was written to Attorney General with the above information
https://www.doj.nh.gov/consumer/security-breaches/documents/california-state-university-20180306.pdf - March 6, 2018: Press release on University website: http://www.fresnostatenews.com/2018/03/06/fresno-state-notification-of-data-security-incident/
- March 6, 2018: News articles say that as many as “15,000” people could be affected in the data breach. 300 of them are still students on campus. The majority of them were part of the University from 2003 – 2014.
https://www.visaliatimesdelta.com/story/news/2018/03/06/fresno-state-data-breach-leaves-15-000-exposed/400276002/
Remarks:
1. The notification did NOT include all pertinent details, including the number of people affected.
2. The University should-
- NOT have retained information from former students and staff from 2003-2014
- NOT have saved sensitive PII and PHI data on a hard-disk – especially unencrypted
- NOT have given free access all the information to the Athletics Department
3. Possible controls to mitigate further such incidents-
- take stock of all information – know exactly what information resides where
- implement identity and access management controls
- implement data loss (leakage) prevention solutions
- store all data in encrypted databases – and provide accesses to certain fields, rows, tables, on a need to know basis
- improve physical security and prevent break-ins
Reference:
BakerHostelter. (March 6, 2018). Incident Notification. Retrieved from https://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846
Cederlof, C. (March 6, 2018). Fresno State data breach leaves 15,000 exposed. Retrieved from https://www.visaliatimesdelta.com/story/news/2018/03/06/fresno-state-data-breach-leaves-15-000-exposed/400276002/