In response to the security breach at the Health Science Center website, Stony Brook placed a disclosure online to inform everyone of what had happened. The disclosure outlines the effects of the incident that occurred back in May, and how to respond to the risk of identity theft.
On April 11, the Health Science Center website was reconfigured and a massive file containing names, social security numbers, faculty numbers/departments, and other internal fields was present on the web server. The 89,853 people who were affected ranged from students, faculty, staff, alumni, and others in the Stony Brook community.
“It was an old file dating back to 2002,” said Patrick Calabria, University Media Relations Officer. In 2002, the campus was still using social security numbers for identification purposes, rather than Stony Brook ID numbers.”
“There is currently a university wide review of social security number practices ordered by President Kenny, so that social security numbers can be eliminated wherever they can be.” said Calabria.
“The information was completely for authentication and statistical purposes,” said Division of Information Technology CIO Richard Reeder. Reeder was involved in the follow-up investigation after the mistake was brought to attention.
The information was accessible until April 24th, when a student discovered that the information was available online and reported the matter to the President’s office. While there was no URL to directly link to the file from the Health Science Center website, the information could be reached when searching through the Google search engine. Logs confirm that no one had accessed the file since April 10th, and it remained imbedded in the web server.
“I had to type in: ‘HSC Alaph SSN’, those three search terms and only then would Google index it [the file],” said Reeder. The file was imbedded in a root directory which specified all the images and hypertexts needed for the website display and links.
“I’m not a part of the East Campus IT, but currently their CIO position is vacant and I took over in the emergency,” Reeder said. The New York State Cyber Security Office was contacted, where it requested Google to remove the information from the search engine.
“The New York State law dictates what we have to do at times like this. We’re required to mail letters and therefore we had to prepare a notification letter and procure centers for calling,” said Calabria. “we simultaneously put up calling centers when the letters were mailed out, so that people could have resources.”
The call centers were placed effectively, and the number of calls has since then decreased. “Most calls are people asking if they’re on the list or not,” said Reeder. “By and large the people who called were reassured by two things: that there was no financial disclosure, and that the information was accessible for only a brief period of time,” said Calabria.
The New York State law outlines that people in such a case must be contacted by mail, which caused the delay of informing people till around mid-May rather than promptly April 24th.
“The letters had to be written up, printed, delivered, and distributed to people by their last known addresses which took time to confirm because the file wasn’t recent,” said Calabria.
Online, facebook groups can be found where people express their opinions on the issue, most of them reflecting negatively. “The angry and irrational response of quite a few students on Facebook indicates that there are some who are not ready to deal with manageable problems in an orderly and respectful manner,” said Kurtz, “as unfortunate as this incident was, I think the student response has been even more disappointing. As far as I know, not one ‘victim’ has been taken advantage of, as a result of the data leak. I can almost sympathize with Stony Brook’s desire to delay notification until the majority of the student body was off-campus.”
“I know an incident of this grandeur size would take time, but I find it a little too inconvenient that it [letter of notification] was delivered around the time that school ended,” said sophomore Alex Nagler. Nagler plans on holding a protest when students return to school in the fall to criticize Stony Brook’s response to the issue.
“What better way to galvanize a large population than by a protest to address the fact that Stony Brook doesn’t want to admit that they made a mistake, offer no credit monitoring, and lack adequate compensation,” he said.
Undergraduate Student Government president Joseph T. Antonelli has been insisting on meeting with President Kenny since May to negotiate credit monitoring for those effected, but meetings keep getting delayed. “I would like the proper compensation for an incident such as this,” said Antonelli, “in similar cases where personal information has been accidentally leaked, a year of free credit monitoring service is offered to all of the affected people by the agency or company that made the error. I understand that accidents happen, but when they happen, the proper response/compensation is expected.”