Cyber security experts at Tripwire have verified with the hired vendor We End Violence that the passwords stored in these systems were not encrypted and provided the following comments.
[su_note note_color=”#ffffcc” text_color=”#00000″]Ken Westin, Senior Security Analyst for Tripwire :
“This illustrates the need for organizations to question and verify security practices of their vendors, particularly when their systems will be housing personal information. In addition, ensuring that vendors regularly run vulnerability scans and follow system hardening best practices, questions also need to be asked regarding how sensitive information is stored on their systems.”
“I verified with We End Violence by phone that the passwords being stored in these systems were not encrypted. Not following this simple practice exponentially increases the risks for those students. This is particularly true if they use those same passwords for email, banking, social media and other services.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of IT Security and Risk Strategy for Tripwire:
“Breaches such as these involving a third-party contractor providing services to a large population are a reminder that your data can be compromised through the supply chain of the organizations with which you interact. Whether it’s a university, retailer or government, it’s become nearly impossible for the average person to know who has access to their personal data, and how it might be at risk.
“It’s often the case with breaches that the full extent of the records compromised isn’t known until well after the first headline is published. We should expect that this breach may expand as investigators dig into the details of who, what, when and how. Other universities contracting with We End Violence, and any similar outside providers, should ask questions about how student data is secured while this topic is getting attention.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.