Breach Database

1
(No Transcript)
2
Purpose of Our Session - present examples
of breaches in the educational area
- identify the impact of privacy breaches
- use the breach data base as a teaching tool
for in-service
Breach Database
3
(No Transcript)
4
Education Focused - Privacy Breach Database

• Consists of some 32 examples of education
  related
• privacy breaches categorized into 7 areas
• - Internet links for each breach allow for a
  review of the
• specific breach and required action on the part
  of the
• institution
• - Additional resources and external links
  conclude the
• database
• - Individual breaches can be examined to
  highlight the
• specific nature of a privacy breach

The Database
5
Malicious Computer Data Breaches
Hackers Compromise 160,000 Student Healthcare
Records at Berkeley, Mills College http//www.secu
ritymanagement.com/news/hackers-compromise-160000-
student-healthcare-records-berkeley-mills-college-
005621 Hackers Steal Information for Over
70,000 Students/Alumni from Brock
University http//www.cbc.ca/technology/story/2006
/10/12/tech-brock.html Southern Connecticut
State University Servers Compromised by Spam
Operation Potentially Exposing the Data of 11,000
Students http//www.pcworld.com/businesscenter/art
icle/145087/after_web_defacement_university_warns_
of_data_breach.html
The Database
6
Malicious Computer Data Breaches
Austin University Student Hacks in his Schools
Computer System, Accessing Over 50,000 Social
Security Numbers Other Data http//www.msnbc.msn
.com/id/9239576/ Potentially 400,000 Student
Records Breached When San Diego University Server
Is Infiltrated http//attrition.org/dataloss/2004/
03/sdsu01.html
The Database
7
Accidental Computer Data Breaches
Faculty Member at an Ohio University Accidentally
Places Social Security Grade Report Online
Data is Public for Over 3 Years before Being
Noticed http//www.miami.muohio.edu/documents_and_
policies/privacyhelp.cfm A City College in
Edmonton Accidentally Makes Student Data
Available Online Data Included Credit Cards,
SIN Numbers, Signatures, Etc. http//attrition.org
/dataloss/2007/10/macewan01.html Student Aid
Records for 90 Individuals in Newfoundland were
Publicly Exposed Due to a Security Hole in an
Online Database http//www.cbc.ca/consumer/story/2
008/09/08/student-breach-data.html Hundreds of
McGill Student Academic Records Accidentally Made
Public on School Website http//www.cbc.ca/canada/
montreal/story/2007/04/27/mcgill-privacy.html
The Database
8
Accidental Computer Data Breaches
Teacher in Manchester, England Accidentally
E-Mails Attachment with Student Employee Data
to Hundreds of Other Students
Employees http//www.vbsnet.com/news/2009/04/30/ic
o-acts-on-student-privacy-breach.html Four
University of Texas Professors Accidentally
Posted the Private Data of Thousands of Student
Online http//www.woai.com/content/news/newslinks/
story/U-T-Students-Personal-Information-Accidental
ly/VQQrtNfAc0WcWgWzVtMU1g.cspx Ryerson
University Software Glitch Accidentally Posts
Student Data Online Issue Not Correct for Weeks
after the School was Informed of the
Breach http//www.itworldcanada.com/news/ryerson-p
rivacy-breach-highlights-immature-it-analyst-says/
109118 Western University Exposes the Data of
Over 1,000 Graduate Students - Data was Posted
on an Unsecured Portion of Westerns
Website http//communications.uwo.ca/com/western_n
ews/stories/western_apologizes_for_privacy_breach_
20051027434109/
The Database
9
Malicious Physical Document Data Breaches
Laptop with the Data of Over 98,000 Students
Stolen from the Graduate Admissions Office of
Berkeley University http//www.channelregister.co.
uk/2005/09/16/berkeley_laptop_theft_arrest/ Newfo
undland School Board Found in Violation of
Privacy Laws After Stolen Laptop Exposed the
Records of 28,000 Students http//www.cbc.ca/canad
a/newfoundland-labrador/story/2008/07/25/school-th
eft-privacy.html Entire Student Roll at College
in Nassau New York Stolen from Administrative
Office Over 21,000 Students Affected http//attr
ition.org/dataloss/2006/12/nassau01.html Two
University of Alberta Hospital Laptops Stolen
Over 300,000 Affected http//www.cbc.ca/canada/edm
onton/story/2009/06/24/edmonton-laptop-theft.html
The Database
10
Accidental Physical Document Data Breaches
Sensitive Student Information Found Along Road
from Nashville, TN High School (Video Report
Included) http//www.wsmv.com/news/18966430/detail
.html Keller, TX High School Mails Incorrectly
Addressed Private Data to Hundreds of
Students http//datalossdb.org/archives/1099/2121/
index.txt New York City School Accidentally
Leaves 12 Boxes of Student Records on
Curb http//query.nytimes.com/gst/fullpage.html?re
s9F0DE4DD143EF937A15752C1A9629C8B63 Tennessee
State University Employee Misplaces Flash Drive
with Social Security Data Of Over 9,000
Students http//www.wsmv.com/education/17464384/de
tail.html
The Database
11
Accidental Physical Document Data Breaches
College Student Data Intended to be Shredded is
Discovered Off-Campus http//attrition.org/datalos
s/2005/08/and01.html Hard Drive at Colorado
University Goes Missing Potentially Exposing
15,790 Students http//www.jrrobertssecurity.com/s
ecurity-news/security-crime-news0028.htm
The Database
12
Visual Privacy
Story about Teacher in Quebec Negatively Affected
by Cell Phone Video of Her Posted on YouTube by
Students http//www.cbc.ca/canada/ottawa/story/200
6/11/24/you-tube.html Stanford University Fights
for Privacy Rights of Student Pictures Posted
Online http//www.sfgate.com/cgi-in/article.cgi?f
/c/a/1999/09/23/MN55114.DTLtypeprintable Articl
e on Benefits and Perils of Video Cameras on
School Buses http//www.westmountexaminer.com/arti
cle-cp80346034-School-buses-may-be-wired-for-surve
illance-privacy-experts-warn-of-perils.html
The Database
13
Visual Privacy
English Newspaper is Censured for Posting Student
Photos Online Without Permission
http//www.timesonline.co.uk/tol/news/uk/article2
260869.ece Article on the Quebec Student Known
as the Light-Sabre Kid http//www.ctv.ca/servlet
/ArticleNews/story/CTVNews/20090318/online_privacy
_090318/20090318?hubSciTech
The Database
14
Anonymous Information
City of Regina Accidentally Gives Out Extraneous
Data to Outside Researchers Exposing
Thousands http//www.cbc.ca/canada/saskatchewan/st
ory/2009/02/11/regina-information.html YouTube
and Viacom Agree to Mask Viewer
Data http//www.usatoday.com/tech/products/2008-07
-15-2584242500_x.htm
The Database
15
Data Storage Locations
An Article on Google, Lakehead University and
Their Connection to the U.S. Patriot
Act http//www.theglobeandmail.com/news/technology
/article675014.ece CBC Article on Health Records
Vs. The Patriot Act http//www.cbc.ca/health/story
/2008/05/05/fhealth-digitalrecords.html
The Database
16
Additional Resources
Data Loss Database Searchable Database of over
2,500 privacy breaches from across the world,
affecting almost 5 million records. http//datalo
ssdb.org
The Database
17
Additional Resources
Privacy Rights Clearinghouse Chronological
Database of Hundreds of Privacy
Breaches http//www.privacyrights.org/ar/ChronData
Breaches.htm
IPC Information and Privacy Commissioner of
Ontario http//www.ipc.on.ca
The Database
18
(No Transcript)
19
Hamilton Spectator - Jan.28, 2010
excerpt January 28th is Data Privacy Day around
the world, a day dedicated to raising awareness
about protecting personal information, especially
online. The article contains a list of the major
data privacy issues today, according to the
privacy commissioner's office. This is a short
sample - New technologies emerge daily, but
often personal information is required to use
them. Consider how much information you have
handed over to play online games, join social
networks or even shop online. And what happens if
the information ends up in the wrong hands? -
Watch out for fraudulent e-mails, be on guard
against phishing -- lying about the real reasons
someone is data mining -- and much more.
http//www.thespec.com/article/713274
Media Reports
20
Hamilton Spectator - Jan.28, 2010
Privacy czar launches investigation over
personal-settings tool Privacy commissioner
Jennifer Stoddart said yesterday the complaint
focuses on a personal-settings tool introduced by
Facebook last month. The complainant alleges new
default settings would have exposed his
information to a greater degree than settings he
had previously put in place. Elizabeth Denham,
the assistant privacy commissioner, said in a
news release the grievance echoes other concerns
expressed in recent months. "Some Facebook users
are disappointed by certain changes being made to
the site -- changes that were supposed to
strengthen their privacy and the protection of
their personal information."
http//www.thespec.com/article/713275
Media Reports
21
(No Transcript)
22
Identity Theft is much more than credit debit
card skimming. It is the unauthorized collection
and fraudulent use of someone elses personal
information.
Hamilton Police Department Definition
Identity Theft
23
Types of Identity Theft

• Thief obtains a credit card in victims name
  using personal information.
• Thief calls victims credit card company and
  pretending to be the victim.
• Thief changes the address on victims credit
  card account. In this
• instance victim may not know of theft for quit
  some time.
• Thief obtains a cell phone account in victims
  name using stolen
• identification.
• - Thief opens a bank account in victims name
  using stolen identification.
• - Thief steals credit or debit card information
  from victims card. The thief
• then manufactures a forged card and attacks
  victims account.

Identity Theft
24
Some Facts about Identity Theft
- Identity theft, skimming and other crimes
related to criminals getting your personal
information is the fastest growing and costliest
consumer crime in North America - Identity
theft crimes have grown 100 every year since
1997, the year that this type of crime began
to be taken seriously - In 2003 (the most recent
year stats were available), identity theft cost
the Canadian Economy 2.5 billion dollars, and
has only risen from there - Canadians have a 1
in 10 to 1 in 20 chance of being victimized by
Identity Theft in their lifetime. By
comparison, your chance of being physically
victimized (via assault, robbery, etc.) in your
lifetime is much less than 1 in 100.
Source Hamilton Police Dept.
Identity Theft
25
Law Enforcement Suggestions on How To Avoid
Identity Theft
- Place passwords on your credit and debit cards
and change these often. Avoid using easily
available information, ie birthdate and phone
numbers as your password. - Secure personal
information in your home. - Dont give personal
information out over the phone, through the mail
or over the internet, unless you initiate the
contact. - Guard your mail and your trash from
theft. Deposit outgoing mail at the post
office or secure box instead of an unsecured
mailbox. Remove mail from your mailbox
promptly. Put your mail on hold if you are going
to be away.
Source Hamilton Police Dept.
Identity Theft
26
Law Enforcement Suggestions on How To Avoid
Identity Theft

• - Shred all mail and paperwork that contains
  personal information.
• Do not carry your SIN card on your person keep
  it in a safe place. This should
• also be so for any identification not needed on
  a daily basis.
• When using you debit or credit card always keep
  it in your view, watch the
• clerk as they process your card and always
  protect you PIN.

Source Hamilton Police Dept.
Identity Theft
27
Breakdown
28
Breakdown
Breakdown
29
(No Transcript)
30
Teacher In-service Using the Breach Database

• - Select a data base item from the one of the 7
  areas
• - Connect to the internet through the link
• - Printed examples will be used in
  the workshop
• Review with staff the event, nature of the
  breach and type of information
• compromised by this breach
• - Pose the following questions for discussion
• a) Was the information of a nature
  that could compromise the
• identity of the individual?
• b) Could the information be used for
  malicious purposes?
• c) Are there legal implications for
  our organization due to the loss
• of this data?
• d) Have we followed the necessary
  steps to inform the parties of
• the loss of this information?
• e) Have we done or can we do
  anything to re-secure this
• information

Using The Database
31
Now Its Your Turn
Create a group for discussion purposes
Your board team, or a group of 5
or 6

1. Select a breach from the database.
2. Review the breach on the internet or use one of
   the printed examples.
3. Pose the questions.
4. Be prepared to report your discussion (20
   minutes).
5. Each teams reports will be posted.

Using The Database
32
Best Practices to Prevent Breaches
Resources available for use in teacher in-service
- Privacy videos found on the London region
MISA website www.misalondon.ca - Teacher
videos - Administration and Central Staff
videos (Principals) - I.T. Videos - MISA
Breach database found in pdf. format on the MISA
website resources - PIM Guidelines
Using The Database
33
(No Transcript)
34
Physical Document Data Protection for Teachers
Click image to stream video in Media Player. Or
visit the link below http//misalondon.ca/teacher
_videos06.html
PIM Videos
35
Digital Data Protection for Admin/Staff
Click image to stream video in Media Player. Or
visit the link below http//misalondon.ca/teacher
_videos02.html
PIM Videos
36
Discussion Questions for Teachers Physical
Document Data Video
1. Is there a clear purpose for each type of
personal information that I collect, use, retain,
or disclose? 2. Do I know when it is
appropriate to destroy personal, confidential, or
sensitive information? When destroying such
information, do I place it in the appropriate
shredding bins? 3. Are Ontario Student Records
(OSR) and Office Index Cards securely stored in
the main office of the school and are only
accessible by authorized personnel in the main
office of the school. 4. Do I ensure that
information about a student(s) is shared only
with other staff in the school who are assigned
to work with the student(s), and only as needed
to improve the education of the student(s).
PIM Videos
37
Discussion Questions for Admin/Staff Digital Data
Protection Video
1. Have I safeguarded all electronic personal
information records maintained in
password-protected databases? 2. Do I
refrain from storing personal, confidential, or
sensitive information on a Shared Network Drive?
3. Do I immediately pick up any personal,
confidential, or sensitive records sent to
printer or photocopier or received by fax? 4.
Before sending personal, confidential, or
sensitive information via email, have I
considered taking precautions such as removing
personal information?

continued...
PIM Videos
38
Discussion Questions for Admin/Staff Digital Data
Protection Video
5. Are computer access rights reviewed and
updated regularly to ensure that I do not have
access to personal information that I do not need
to perform my duties and responsibilities? 6.
Am I following the procedures in place for
safeguarding personal information on laptops,
memory sticks, personal digital assistants (PDAs,
e.g., BlackBerry devices), etc.? 7. Do I
sometimes share passwords with others? If so, do
I immediately change my password afterwards?


PIM Videos
39
(No Transcript)