Email the Editor    Email a Friend    Print this Page 

The University of Florida last week revealed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school.

It's an incident that is likely to further reinforce the reputation college networks and systems have of being notoriously insecure environments.

The compromised data included the names, dates of birth, Social Security numbers, and addresses of current and former College of Dentistry patients dating back to 1990, as well as information about dental procedures in some cases, the university said in a statement.

The data had been stored unencrypted in a database on the breached server, it added.

In addition to the 330,000 people who were notified, another 8,000 individuals whose current mailing addresses couldn't be found were affected by the intrusion, according to the statement.

Officials at the university in Gainesville hope that those patients will learn about the data breach through media coverage of yesterday's disclosure.

The breach was discovered Oct. 3 while the server was being upgraded. The university said IT staffers discovered then that malware had been installed on the system from a remote location.

It added that the server was "immediately disconnected" from the Internet and that stronger security controls have since been put in place. No details about the new controls were disclosed.

The university noted that the breach occurred despite what it said were several previous security measures designed to mitigate such risks, such as encrypting data while it's in transit and strengthening firewalls and intrusion-detection systems.
A university spokeswoman said that there were multiple reasons why the notifications were sent out more than a month after the breach was first discovered.

Initially, IT workers and external consultants who were brought in to help needed to determine what the scope of the breach was and figure out how many people had been affected.

Later, law enforcement officials asked the university to withhold disclosure while the breach was being investigated, the spokeswoman said. It also needed time to establish a call center and set up a Web site to handle questions from affected individuals.

The spokeswoman added that the time taken by the university was in line with Florida breach disclosure rules that require organizations to notify people about a potential compromise of their personal data within 45 days of its discovery.

As is typical with most disclosures of this sort, the university didn't identify the kind of server that was breached or specify how the intruder gained access to it.

It also didn't say when the intrusion began or how long it remained undetected.

In the wake of the discovery of the breach, the university is working to examine nearly 60,000 other computers on its campus to ensure that they aren't similarly vulnerable to security threats, the spokeswoman said.

A list of data breaches dating back to 2005 that is maintained by the Privacy Rights Clearinghouse shows that about 60 of nearly 300 incidents reported this year were at universities.

share: