08-29-12 | Blog Post
Three months ago, a data breach of the University of South Carolina’s (USC) web server resulted in the exposure of approximately 34,000 students, staff and researchers’ personal information to hackers. While USC was initially alerted on June 6 of the breach, they only recently notified the affected. The personal information includes names, addresses and Social Security numbers.
Unfortunately, USC is not new to data breaches – this was the sixth and largest incident over the past six years, bringing the total of exposed records to 81,000. Three months is also an unusually long time to wait before alerting people – for healthcare organizations, if they suffer a breach of any type, they are required by the federal government to notify individuals no later than 60 days following the discovery of a breach (HHS.gov). Late or significantly delayed notification may have allowed hackers to use stolen information unnoticed for the 11 weeks.
Little information is provided as USC continues their investigation in the breach; the only details mentioned in news articles state the breach came from hackers overseas. TheState.com reports on USC’s six data breaches:
April 2006 – (1,400 people affected): Student information accidentally was e-mailed to as many as 1,000 students in the Hospitality, Retail and Sports Management program.
August 2006 (6,000) – A university post office database was hacked, exposing information about current and former students.
September 2007 (1,482) – Files with Social Security numbers, test scores and course grades were unintentionally exposed online.
June 2008 (7,000) – A computer with student and faculty information was stolen from the Moore School of Business.
March 2011 (31,000) – Human error led to a breach that exposed the information of faculty, staff, retirees and students on all eight USC system campuses.
August 2012 (34,000) – An overseas hacker gained access to student and staff records at the College of Education.
With so many breaches, USC really needs to reevaluate their breach remediation and security policies. They could benefit from an updated risk assessment that could identify known vulnerabilities and pinpoint ways to prevent yet another breach from occurring. And judging from the amount of human error, they could also benefit from implementing a security awareness program with annual security training for employees.
If you want to read more about major data breaches and their resolution and/or solutions, check out:
Yahoo Data Breach Affects 450,000
International Credit Card Data Theft Operation Revealed
Business Associate-Related HIPAA Violation Results in $750,000 Fines
Server Hack Leads to HIPAA Violation by Utah Department of Health
What’s a HIPAA Violation? highlights and explains the most reoccurring mistakes that organizations make that result in a data breach.