Computer breaches worry experts

BY TIFFANY TEASLEY
For the Daily
Published April 13, 2005

Correction appended: The headline should have said Computer breaches worry experts.

A recent chain of incidents involving computer security breaches on college campuses has experts questioning the current security policies that universities nationwide have in place to protect the personal information of students and faculty.

Three incidents involving computer hacking and stolen information occurred within a span of two weeks at three universities.

The most recent breach transpired on March 28 when a laptop that contained about 100,000 Social Security numbers of University of California at Berkeley members was stolen from the school’s campus. Three days earlier, information in the Kellogg School of Management at Northwestern University was hacked into, which could have exposed nearly 21,000 Northwestern members’ personal information to the culprits. A similar incident occurred the week before at California State University at Chico where a security breach may have revealed the personal information of 59,000 California State affiliates.

The most recent significant incident involving University information security occurred nearly a year ago when a student reported a bug in Wolverine Access. This glitch created the possibility for the disclosure of personal information, said John Howell, the University’s chief of information technology security.

“It was not hacking, but the University felt that there was a very small probability that someone may have referenced it, although this was not indicated,” Howell said.

Notification was later posted on Wolverine Access further explaining the situation, along with the University’s security policies.

Howell said the University has taken various measures to ensure the safety of its students and staff and is confident in the policies set forth by the University to maximize information security.

“There are always elements in place for balancing between computer security, ease of use and functionality,” Howell said.

Despite the protective measures colleges may have in place, universities still need to further develop their security systems, said Aileen Soules, associate dean of California State University at East Bay.

“In some ways we’re more vulnerable then ever,” Soules said in regard to universities across the country,

Soules, who is an expert of privacy policies, said she feels the policies of colleges and universities have generally improved, but she remains concerned about security issues.

Due to the rise in computer hacking, Soules said universities need to increasingly adapt their systems to confront the many threats to college security systems.

A 2004 report by Virginia Rezmierski, a professor at the Ford School of Public Policy, examined the vulnerabilities of the computer security policies at colleges and universities nationwide.

In the report, Rezmierski concluded that, “Only a few colleges and universities have begun to categorize or codify computer-related incidents and establish thresholds to trigger appropriate responses. We hope that our conceptual models might help institutions with this task.”

In the past, college campuses nationwide have used Social Security numbers as the primary method of identifying student records and faculty information. The University changed its policy in 1996 by implementing the Unique Identification Number as the primary form of identification for students in order to better safeguard the personal information of University members.

However, the University still retains Social Security numbers within its computer databases, solely for business reasons, Howell said.

He added that the University has yet to be a victim of any computer hacking that would threaten the disclosure of Social Security numbers.

Although Howell said current security measures are adequate to protect the University’s information systems, the University is now focusing its efforts on educating the student community about how they can protect themselves from computer hacking.

Because many University students use residential computing sites on campus, the housing office has also adopted numerous measures to guarantee the safety of students and faculty.

Alan Levy, director of housing public affairs, said a campus web page, identityweb.umich.edu, promotes awareness of identification theft and the steps that can be taken to make the possibility less likely. Recently launched, Levy added that the Web page was developed through the joint efforts of University Housing and Information Technology Central Services. In addition, he said the Web Privacy Policy on the Housing website outlines specific computer security measures taken to protect students’ confidential information.

“It was very important for us to make a standard policy about the importance of protecting the identification of students and staff.” Levy said.

 At the University, virus protection remains a primary concern for the majority of students. Jesse Specvack, a computer consultant at the Computer Showcase in the Michigan Union, said students bring their computers in for virus protection everyday, but access to personal files or information has not been a significant issue.

The Showcase recommends maintaining an updated operating system and using virus scan software, such as Spybot Search & Destroy or Adware, in order to control security issues and viruses.

If personal information on a computer system or University-affiliated website has been exposed, students should follow the appropriate steps available on safecomputing.umich.edu.