The incident is the third major data security breach in the UH system since 2009. Each time, university officials promised they were strengthening the school’s network systems and working to identify other potential security risks.
In the latest security breach, UH immediately removed the exposed files and disconnected the server from the network when it was notified of the security breach on Oct. 18 by Aaron Titus, information privacy director of Liberty Coalition, which is a Washington, D.C.-based policy institute.
Google cleared its caches late on Oct. 21, some 11 months after the information first was put online.
“During that time, theoretically, anybody with an internet connection could have had access to it. How likely that is … is anybody’s guess,” said Titus, who discovered the files from a Google search.
Titus said the university’s statement that it has no evidence that the personal information was used maliciously was somewhat misleading.
“Of course they don’t have any evidence of misuse, because the bad guys wouldn’t tell them if they had,” Titus said.
UH President M.R.C. Greenwood has discussed the issue with all the chancellors in the 10-campus system, emphasizing the university’s policy regarding data security and protection of sensitive information.
UH set up a call center and website for individuals who might have been affected. Those who might be affected by the breach were advised to obtain a credit report and to review financial statements to look for unusual activities.
The university system’s other major security breaches include an incident last summer involving the personal information of 53,000 people, including 40,000 Social Security numbers, who had business with the Manoa parking office. And in 2008, more than 15,000 students at Kapiolani Community College were warned after an infected computer compromised their information on financial aid applications.
“There is absolutely no way that we can say this will never happen again, but we are taking every step that’s possible to make sure it doesn’t happen,” which includes upgrading security systems and additional training, Shelton said.
Titus said the university could’ve caught the latest mishap much earlier and quickly blocked any access if it regularly scanned its server for personal information, which takes software that is readily available.