It has been reported that a database breach at Georgia Tech has exposed the personal information of up to 1.3 million current and former faculty members, students, staff and student applicants, according to school officials. Georgia Tech announced yesterday that a central database was accessed by an unknown outside entity through a web application, though it is unclear exactly who was affected. The school, which typically has around 30,000 students enrolled, said it learned of the security breach in “late March.”
https://twitter.com/mattdotts/status/1113256133978779648
Experts Comments Below:
Adam Brown, Manager of Security Solutions at Synopsys:
“Indications that the breach came through a web application are surprising, given this institute’s strong reputation in computer science. Web application security flaws and vulnerabilities are well documented and understood, even categorised into a well-known top 10 list (OWASP Top 10). Technical controls must be underpinned with process and policy for them to be effective; it will be interesting to see what went wrong here. Inevitably some students will be European citizens, so this will likely trigger a GDPR breach investigation.”
Tim Mackey, Senior Technical Evangelist at Synopsys:
“Under the Georgia Personal Identity Protection Act, notification of a data breach involving personal information must be made to affected residents of Georgia. Given the size of the breach, the Act provides for the use of public announcements via media as an option. Fortunately, a Georgia Tech spokesperson has indicated that the university will be directly contacting affected individuals as many students are likely not full time residents of the state. Importantly, the Act contains provisions obligating the university to report the breach to credit reporting agencies. With many of the impacted individuals just starting adult life, identity theft can be particularly damaging to them. Students at Georgia Tech should place credit holds in place, and ensure that any credentials used for services at Georgia Tech aren’t’ reused elsewhere. It is my hope that Georgia Tech will disclose the attack vector used in this breach such that others can learn from this experience and we might collectively improve our cybersecurity processes. Additionally, with the impacted population of students potentially coming from all US states and many countries, I feel a national standard for data privacy management and breach disclosure is due.”
Brian Johnson, CEO and Co-founder at DivvyCloud:
“Much like Yale’s disclosure of its data breach last year that it suffered between 2008 and 2009, it could only be a matter of days before affected individuals begin to file class-action lawsuits against GeorgiaTech for failing to comply with privacy regulations. The financial implications of this breach are likely to be significant—not only in terms of lawsuits and fees for failing to comply with data privacy regulations, but also in terms of damaged reputation. Students were outraged at a similar breach in July 2018 when the university mistakenly shared the personal information of about 8,000 students in the College of Computing with other students at the school. This latest breach will surely add fuel to the fire.
When organizations are entrusted with highly confidential information, such as Social Security numbers, it becomes the organization’s responsibility to protect it. Georgia Tech’s incident should serve as a wake-up call for other colleges to leverage automated security solutions. By implementing seamless and continuous policy enforcement, organizations can provide a framework for successfully reducing risk and maintaining compliance across an entire IT environment. These types of tools are especially important for large organizations, like prominent universities, that have complex and dispersed IT environments, spread over multiple campuses and individual colleges/departments.”
Jonathan Bensen, CISO and Senior Director of Product Management at Balbix:
“Georgia Tech is a nationally recognized research university with over 20,000 current students and an alumni network of 140,000 members worldwide who count on the university to protect their data. Unfortunately for them, this is the second year in a row that Georgia Tech has suffered a data breach. In 2018 nearly 8,000 student records were exposed, and this time more than 1 million students, faculty and staff were affected. It seems the university did not learn from last year’s blunder and is paying the price with an even heftier data breach. Higher education institutions, like Georgia Tech, must implement a more proactive approach to security and leverage tools that can actually predict when and where a breach is most likely to occur so that appropriate remediation can be applied before damage is done.”
Ben Goodman, VP of Global Strategy and Innovation at ForgeRock:
“Academic institutions are a growing target for attacks given the personally identifiable information they collect for tens of thousands of students, employees, donors and partners. This data will quickly make its way to the dark web where it will be used for identity theft, synthetic identity creation and robotic account takeovers. Now, more than ever, education institutions must use modern behavioral analytics, Know Your Customer and identity proofing tools during account originations and during email and password reset to fight against these well-armed fraudsters.”
Kevin Gosschalk, CEO and Co-founder at Arkose Labs:
“Organizations need to understand their databases are at a constant risk of being attacked. Hackers are evolving and developing new ways to access data, which means organizations need to be prepared to defend against attacks from all access points. In this case, an unauthorized user was able to gain entry into Georgia Tech’s database through a web application and now 1.3 million accounts have potentially been compromised. This could have been avoided if the attack surface was monitored to identify databases that have been misconfigured, as well as those that may be compromised, and by enforcing multi-factor authentication before an attack takes place.”
Tim Erlin, VP at Tripwire:
“Right now we don’t know when, how or who committed this breach. That’s not a lot to go on if you’re looking to draw lessons on how to avoid this type of breach in your organisation. Any organisation that’s storing personal data must put in place basic security protections like finding and remediating vulnerabilities and assurance that applications are securely configured. Without the basics, you’re effectively the easiest target on the block.”
.
Dan Tuchler, CMO at SecurityFirst:
“How ironic that a university with a high ranking in computer science, which offers courses in cybersecurity, got hacked. This in a state which has had privacy regulations in place – the Georgia Personal Identity Protection Act – since 2007. This is a clear example of the need for encryption of personal data. Hackers always find a way in and they need to be stopped before they get the personal data.”
.
