EDITORIAL: Condemn University’s lack of security
Last Wednesday, the University announced that two desktop computers stolen from the Registrar’s office on Oct. 20 contained personal information about Brandeis students enrolled since the summer of 2012, including names, addresses and, potentially, social security numbers. According to Executive Director for Integrated Media Bill Schaller, students receiving federal loans and working on campus are particularly at risk for having their social security numbers taken, constituting the first serious student data breach the University has faced in recent memory. While the computers had basic password protection, the program storing the actual data was protected by neither passwords nor encryption, meaning a thief able to circumvent the initial security could easily access this information.
While it is some comfort that there is no current evidence of the security breach being used for identity theft, neither University police nor the Waltham police department have any leads as to who the thief might be, now almost a full month after the initial robbery. This board urges the University to see these thefts as a serious call to action in improving campus security, both digital and physical.
Social security numbers are among the most valuable and most commonly stolen pieces of information taken by identity thieves. Using a social security number, one can, among other things, open a credit card in another’s name, receive medical treatment for which another will have to pay, receive another’s tax refunds and have criminal misdemeanors placed on another’s record. Though never designed to serve this purpose, social security numbers are now one of the government’s principal forms of identification, and stolen numbers are sold frequently on the dark web according to Adam Levin, founder of Credit.com, in an April 19 column for ABC.
It is not impossible that the thieves from the Registrar simply did not know what they got away with — some projector equipment was also stolen. But contrast this theft with the other piece of information technology news from the University in recent weeks. According to a Nov. 4 email from Chief Information and Security Privacy Officer Michael Corn, the University is reviewing and updating security standards for the Eduroam wireless network; this includes encrypting information that users transmit online, such as credit card or social security numbers, so that other users on the same network cannot easily access that information.
This is a logical and adequate booster to the University’s information security. But it is also a very public one; all wifi users on campus are familiar with eduroam and enjoy a sensation of safety and security upon hearing these new precautions. IT issues less directly in the public eye apparently receive no encryption, no data tracking, and apparently, no locked windows.
As Senior Vice President for Finance and Treasurer Marianne Cwalina stated in her email informing the campus about the seriousness of this theft, the University has kept an ongoing effort to centralize the management, backup and encryption of all staff computers. This cannot come soon enough, particularly given that the students most at risk from the data breach are those on federal financial loans, already a financially vulnerable party. When asked by the Justice for clarification, though, Schaller could not provide clear examples of measures the University has taken in recent weeks to follow through on Cwalina’s promises. This centralization effort may well be underway, but clearly more resources and communication across the University administration must be devoted to it if a spokesperson cannot provide a single clear example of measures the University has taken, even after a major data breach has rocked the campus. At the very least, universal standards for data protection must be put in place across all University departments immediately.
To the University’s credit, it has been relatively transparent about the information gathered during the investigation and the extent of the data breach thus far in order to be compliant with federal law. Community members were not initially informed about the data breach due to understandable concerns that thieves who might have not realized what they had gotten away with would come to discover this after the information was widely distributed. But transparency and clarity after the fact does not excuse negligence before it. Deeply sensitive information being stored without any additional protection constitutes a startling naivete about the dangers of the digital world, and apparently, of the physical one as well.
If, as Schaller told the Justice in a phone interview, video footage from an on-site closed circuit camera did not capture any footage useful to the investigation, it appears the University’s cameras are not sufficient to help stem security problems. Schaller did not disclose where the camera itself is located in order to avoid compromising an apparently already poor system. Yet the fact that University police and administrators cannot be more specific about when the thefts occurred than to say that it was vaguely sometime between Oct. 24 and 25 — the thefts were only discovered the Monday morning when registrar workers returned to work — seems to show that, at the very least, the cameras are not actually recording footage of where and when the thefts took place. This board believes that if security cameras aren’t fully monitoring the facility, the University must see this recent theft as evidence of a need to implement measures that better investigate crimes and deter future attacks.
This theft must be seen by the University as a call to investigate installing more security cameras across campus. Residents of Ziv 127 were required to pay a $23 fee in damages for each resident after the wires to the Accessible Electronic Door were cut on both doors and the opening arm of the door was broken, according to a Nov. 12 email sent by Director of Community Living Tim Touchette to the Ziv 127 occupants. While this editorial board realizes the scale of this incident does not compare to the aforementioned security breach, it provides an example of how the University should prioritize security campus-wide. If security cameras were more widely used across campus, especially near entrances to residence buildings, this problem could have easily been investigated.
There is even greater precedent for this installation following the vandalization of the Muslim Student Association suite. The MSA put up a security camera in the hallway outside the suite in response to the vandalism. This board maintains that more closed-circuit television cameras should be installed to better track and punish those who commit crimes campuswide in order to foster the protection of privacy.
If the University cannot honestly state that thieves are on camera and key information is safe, a serious review of security systems is necessary. This alarming breach of security requires the University to be more wary of protecting data in the future and heed the call to prioritize student privacy. Certain information should never be shared with the public, and this incident may have allowed just that.