Quick Facts

• Date: 10/28/2010
• Institution: University of Hawaii West O’ahu, University of Hawaii Manoa
• Type of Incident: Unauthorized Disclosure
• Number Affected: 40,101
• Source: National ID Watch
• Abstract Source: National ID Watch, University of Hawaii West O’ahu News Release
• Update1 Source: Star Advertiser

Abstract
The University of Hawaii West O’ahu is notifying former students from both West O’ahu and the University of Manoa after personal information was discovered online. The information, discovered by Aaron Titus, Information Privacy Director for the Liberty Coalition which runs National ID Watch, was posted on a UH West O’ahu website for almost a year and contained the names, Social Security numbers, addresses, dates of birth and detailed educational information on 40,101 students. Individuals that attended the UH Manoa between 1990 and 1998 or in 2001 and individuals that attended UH West O’ahu in Fall 1994 or graduated between 1988 and 1993 may be affected. The information was part of a longitudinal study of UH students and the information was placed online in 2009. Titus found the information using Google and notified the the university, which removed the offending files shortly after being notified. UH West O’ahu has setup a web site with more information on the breach here: www.uhwo.hawaii.edu/idalertfaq.

Update1
The University of Hawaii is asking for nearly $2 million to improve security and reduce the chance of a future incident in the wake of a Liberty Coalition report (PDF) showing that UH is responsible for 54% of all breaches in Hawaii since 2005. The $1.9 million will go toward hiring a five person Web security team to monitor the 600 web servers across the 10 campuses and to purchase data loss and malware prevention software. UH will also need an addition $764,000 annually to maintain and operate the new security measures.

Quick Facts

• Date: 10/27/2010
• Institution: University of Connecticut
• Type of Incident: Unauthorized Disclosure
• Number Affected: 23
• Source: ESI
• Abstract Source: The Daily Campus

Abstract
The University of Connecticut recently notified several former students after personal information was discovered online. The information, a list of former students, contained the names and Social Security numbers of 23 individuals enrolled in a class in 2000. The university became aware of the incident when a former student discovered the information and contacted university officials. The list was immediately taken down. In an address to the University Senate, Provost Peter Nicholls urged faculty and staff to remove sensitive information from their computers. In addition, Nicholls outlined a plan to protect personal information which includes restricting access to sensitive information, annual training and using technology to protect vulnerable data.

Quick Facts

• Date: 10/27/2010
• Institution: Benedictine University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 400
• Source: DataBreaches.net
• Abstract Source: The Candor

Abstract
Benedictine University worked quickly to fix the mistake that exposed personal student information on Facebook. A spreadsheet containing the names, Social Security numbers, dates of birth, email addresses and telephone numbers for 400 BenU students in the Election Judge Training Program was accidentally made available through a link on the programs Facebook page. The spreadsheet was discovered by a student the night of October 19th and reported to the University Police. The University Police reported the online spreadsheet on the morning of October 20th to university official's who immediately removed the link and the spreadsheet. According to Nancy Stoecker, BenU Compliance Officer and Internal Audit Manager, the link was not prominently displayed on the Facebook page and someone would have had to go looking for the link to find it. Political Science Department Chair Dr. Joel Ostrow noted the Election Judge Training Program web site hosted at BenU received more traffic then the Facebook site for the program. Officials worked quickly to draft a notification letter to affected students which was approved and began going out on October 25th. The letter informs students of the situation and asks them to take steps to monitor their credit reports.

Quick Facts

• Date: 10/22/2010
• Institution: Johns Hopkins Universtiy
• Type of Incident: Unauthorized Disclosure
• Number Affected: 692
• Source: DataBreaches.net
• Abstract Source: DataBreaches.net

Abstract
Johns Hopkins University recently notified the Department of Health and Human Services of a security incident involving personal information of the dependents of employees in the university's Applied Physics Laboratory. DataBreaches.net and PHIPrivacy.net were able to reach out to Johns Hopkins University and obtain more information on this incident. It appears that an email message was sent out to some APL employees with an attachment containing the parent names, dependent names, dependent Social Security numbers, dependent dates of birth, dependent martial statuses, and dependent medical and dental coverage status for 695 individuals. The email in question was sent to 85 APL employees. Once the mistake was discovered, APL's IT staff immediately deleted the email from the all 85 email accounts and from the central email server. In addition, all 85 APL staff submitted written verification that they had not printed or copied the email and no longer have any access to the information. As a precaution, APL is offering one year of free credit monitoring to those individuals affected by the incident through Trusted ID. To help prevent a similar incident in the future, APL is implementing the following changes:

• Changed document naming methodology to differentiate between documents to avoid attaching incorrect documents.
• Required all data extracts from its database that includes sensitive data to be encrypted or password protected.
• All Staff Benefits Office staff will be trained in the proper methods of encryption.
• Required that all e-mails sent by the Staff Benefits Office to 5 or more staff members that include any attachment to be reviewed by another team member to ensure the proper document is attached.
• Will explore future capability of automated flagging of any electronic communications sent by Staff Benefits Office team members containing potentially sensitive data such as 9-digit numbers.

Quick Facts

• Date: 10/21/2010
• Institution: Seton Hall University
• Type of Incident: Unauthorized Disclosure
• Number Affected: 1,500
• Source: ESI
• Abstract Source: The Setonian

Abstract
Seton Hall University recently notified students after an email was sent out with an attachment that contained personal information. The attachment, sent in an email to 400 SHU students, contained the names, home addresses, email address, student ID numbers, majors, credit hours and grade point averages of 1,500 SHU seniors. The affected students were notified via email on Tuesday from interim Provost Larry A Robinson. The email from the Provost instructed students to contact Associate Dean for Undergraduate Student Services and Enrollment Management Christopher Kaiser. According to Kaiser, the attachment was created by the College of Arts & Sciences based on credits completed and in progress. Additionally, Kaiser stated the incident is currently under review and precautions are being taken to help ensure the safety of all accounts.