News

U of Fla Warns Dental School Patients of Breach

The University of Florida Wednesday disclosed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school

By Jaikumar Vijayan, Computerworld (US)

November 14, 2008 — CSO — In an incident that is likely to further reinforce the reputation that college networks and systems have of being notoriously insecure environments, the University of Florida Wednesday disclosed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school.

The compromised data included the names, dates of birth, Social Security numbers and addresses of current and former College of Dentistry patients dating back to 1990, as well as information about dental procedures in some cases, the university said in a statement. The data had been stored unencrypted in a database on the breached server, it added. In addition to the 330,000 people who were notified, another 8,000 individuals whose current mailing addresses couldn't be found were affected by the intrusion, according to the statement. Officials at the university in Gainesville hope those patients will learn about the data breach through media coverage of Wednesday's disclosure.

The breach was discovered Oct. 3 while the server was being upgraded. The university said IT staffers discovered then that malware had been installed on the system from a remote location. It added that the server was "immediately disconnected" from the Internet and that stronger security controls have since been put in place. No details about the new controls were disclosed.

The university noted that the breach occurred despite what it said were several previous security measures designed to mitigate such risks, such as encrypting data while it's in transit and strengthening firewalls and intrusion detection systems.

A university spokeswoman said that there were multiple reasons why the notifications were sent out more than a month after the breach was first discovered. Initially, IT workers and external consultants who were brought in to help needed to determine what the scope of the breach was and figure out how many people had been affected. Later, the university was asked by law enforcement officials to withhold disclosure while the breach was being investigated, the spokeswoman said. It also needed time to establish a call center and set up a Web site to handle questions from affected individuals.

The spokeswoman added that the time taken by the university was in line with Florida breach disclosure rules that require organizations to notify people about a potential compromise of their personal data within 45 days of its discovery. As is typical with most disclosures of this sort, the university didn't identify the kind of server that was breached or specify how the intruder gained access to it. It also didn't say when the intrusion began or how long it remained undetected.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Recession Be Damned! IT Security Spending Up For Some
• Researchers Hack Into Intel's vPro
• CheckFree Warns 5 Million Customers After Hack
• Big Peace Initiative, Big Security Risks
• 3 Ways a Twitter Hack Can Hurt You