A weekend interview with Eduard Goodman, chief privacy officer for Identity Theft 911
In a three-month span, the University of Florida had three computer security breaches, compromising thousands of peoples' personal records. Could it happen again? And what should people whose information was hacked do about it? We turned to Eduard Goodman, chief privacy officer for Arizona-based Identity Theft 911, for some insights. Goodman spoke with reporter Jeff Solochek.
What exactly happened at the University of Florida that allowed all this information to be released?
Well, actually, there's been three distinct events that happened over the last several months. The most recent one was essentially a hacking into a quite dated system that they had still in place at the university ... which is, unfortunately, quite common in a university setting, where technologies tend to be put in place and used well past their expected life. ... They shut it down for investigation. ... It probably should have been taken offline seven or eight years ago. ... This is the most recent one.
Not too long ago there was actually another incident where the university has a special service ... which sends out SMS text messages on an emergency basis. Someone hacked into that system. This was on Inauguration Day. ... There were 1000's of students that got a message that said, 'The monkey got out of the cage,' whatever that means.
There was a more serious one, I want to say it was in November. What happened is the College of Dentistry at the University of Florida had some unauthorized software, as they want to call it, installed on one of their servers. It was where they stored names, addresses, phone numbers, dates of birth, medical notes and other sorts of information on former and current patients. The breach size was between 300,000 and 400,000 people who could have been exposed.
So all of this has happened roughly within three months at the University of Florida. I think it helps outline the general problem when it comes to universities.
So what is that general problem?
First and foremost, especially in today's economy, universities are generally on a tight budget. ... Usually, when a university has been going through its budget, one of the places that gets cut because it's a big money vacuum so to speak is [information technology]. Then you see situations like this where they stretch equipment well past its usual lifespan to try and get as much out of it as they can, rather than spending the money to replace it. ...
Another issue, too, on the university side is IT management isn't centralized. ... You add that to the fact that a lot of times a university IT staff is consisting of people in the computer sciences department doing double duty. ... You have turnover then every four to five years, if not shorter. So there are a number of different variables that come into play that make universities a prime target. Not to mention the obvious fact that due to financial aid, registration and all that, they do house a lot of data on a lot of people.
About those people. How worried should they be that their information is so easily hacked?
Unfortunately in today's day and age it's universally all too common. Not just in academia but in all of business. At least the university is representing that none of the information has been accessed, but these situations would give me grave concern just because the information was exposed, somebody went for it. Usually when someone goes for it, there's a reason why. So I think people should be concerned. But the thing people should realize is just because there was a data breach of information does not mean they're going to become identity theft victims.
They can have all that information out there, but nobody might do anything?
Yeah. And that's what part of the problem is, that level of uncertainty. You know, you combine that with the fact that, unlike trading in illicit drugs, there's only so much drugs to go around ... information can be sold and resold a number of times. ... They can sit on it a year or two. ...Often individuals' addresses might change, but their social security numbers aren't going to. Their dates of birth aren't going to. And decreasingly, even with women not changing their names, their names might not change. That type of information does not spoil. And some of this data from the most recent breach at the University of Florida goes back to 1996. ... At least 5,000 people they don't even have good addresses on to contact.
If I graduated from college 15 or 20 years ago, I guess I would expect them to maybe have an address to send me alumni updates. And that's about it.
I wouldn't expect them to have tons of information like it sounds like the university had.
And that's part of the problem, too. I don't think from a retention perspective the university is doing what they need to. They tend to hold on to information much longer than they should. ... I just don't think they are getting rid of this data. ...
What can we do, knowing that information is out there?
I think people need to recognize that unfortunately, in this day and age, their data are out there. They're out there 10, 30, 100 times over in various databases, whether it's their university, their doctor's office or their credit card company. That information is just out there. The cat is long out of the bag and I think that people are just starting to recognize that, yeah, there should be a duty for institutions to protect that data. But what can people do?
There's a couple things. First and foremost, one thing we always recommend is at least annually check your credit report. AnnualCreditReport.com is the only official site that is free. ...
And you can do that one for each of the three agencies, one three times a year to spread that out?
Absolutely. You actually can do that. If people don't think they're going to follow up, then it makes sense to get them all at once and do it annually. ...
The other thing that could be done, especially if you've received a breach notification letter ... is there is always the option of placing a fraud alert out there with the credit bureaus. ... You just have to place it with one of the three credit bureaus and it will be forwarded. Now, it's not foolproof. ... But it's just another step they can take.
What about reaching out to the university and saying, 'Hey, UF, dump my stuff. I don't want to be in there any more.'
You could. But the problem right now is that typically the view from a privacy perspective is the information doesn't necessarily belong to the individual, as strange as that might sound. And typically, depending on what they had in place at the university when you went there, you might even have signed a release giving permission to use your information.
Without even recognizing it, probably.
Absolutely. There are so many pieces of paper you sign. ... Most often, especially nowadays, people have signed away those rights. And because universities are not so centralized, so to speak, they might get it out of the admission department or out of registration. But the departments (might still have information).
The University of Florida is a pretty big target. Should people be going to the university and calling every department they ever dealt with and say, Do something?
Yeah. And again, the other side of it, as bad as it sounds, is unfortunately the university isn't really a business. They're not going to be as concerned about ... losing your business. ... (They also might have already sold it to some other source), and they might not have tracked where the information has gone. So even if you could get the information out of their hands, most likely it already has been shared.
Do you have any good news for people who may have had their information pulled out?
Well, unfortunately, and I hate to be all paranoia and all gloom and doom. But the reality is, what's done is done. And people need to take their own responsibility for it and realize it's incumbent upon them as a consumer now to regularly get your credit report. If you don't use credit ... then really consider putting a fraud alert. If you've experienced any activity, you could go the next step and put a security freeze on your account. And then there are a lot of monitoring services that are out there that people can sign up for. ... Really, the main thing is to be proactive.