In cyberspace, one person can do an awful lot of damage.
At the University of Nebraska, one undergraduate student put the personal and financial data of 650,000 people at risk. According to Computerworld:
The intrusion, which was described by university officials as a "skilled attack," exposed the Social Security Numbers (SSNs), names, addresses, course grades financial aid and other information on students who attended the university since 1985. ... The breach also exposed personal data and financial information for parents of students who applied for financial aid at UNL, according to the university.
The University of Nebraska, like many large flagship colleges, consists of more than one campus. This breach affected all four of Nebraska's campuses. It also touched other state universities that shared a student information database with the University of Nebraska system.
My hat is off to the officials at the University of Nebraska for how they've handled this so far. Apparently, the breach was first discovered on May 23. A week later, they had traced the IP address of the computer used in the attack and identified a student connected to that address. Usually when you hear about a data breach, it is weeks or months - not days - after the discovery of the breach.
We still don't know much about the person accused or the motives behind the hack yet. Nor do we know what vulnerability the student exposed. However, for all the right things the university did upon discovering the breach, there are a few signs that the school didn't do enough up front to protect the data. As Corero Director of Research Neil Roiter pointed out to me in an email:
The fact, according to the university, that its data was not encrypted and that the nature of the attack would have bypassed it in any event, raises questions about its overall security posture.
Again, I applaud Nebraska for its reaction, but one must wonder about the proactive measures the school had taken to protect the information of so many people. But like any good university, Nebraska is providing some good lessons for other academic institutions or any organization that holds a lot of data. When others are entrusting your organization to hold so much personal and financial information (not to mention medical records, since the medical school was among the campuses hit), you owe it to those thousands of customers to maximize your security efforts. We know that no database or computer network is foolproof, so having a good response plan in place is absolutely vital - and can do wonders for protecting your brand.