How an Unauthorized Disclosure Occurs
Understanding how data can be disclosed and what to do to protect it is the key to minimizing data breaches.
At MIT data is sometimes sent around campus and between MIT and its business partners in electronic mail attachments, in many cases without protection. Much of this data ends up on individual laptop and desktop computers for long periods of time, available to anyone with access to that computer. Unencrypted data left on computers can easily be compromised, either by loss or theft of the computer, or by unauthorized access caused by a computer virus or a weak password.
Accidents have historically been the number one cause of data breaches requiring notification in higher education. They occur when people make mistakes or don't pay attention. For example:
- Losing a computer, hard drive or paper files
- Keeping computers unpatched and vulnerable to malware
Recent numbers tracked by ESI (Educational Security Incidents) show this trend turning, as more incidents are being reported as a result of deliberate attack (see below). Approximately 36% of reported breaches by universities in 2009 were due to accidental disclosure.
To mitigate this risk, awareness, training and education, occurring on a regular basis, needs to focus on protecting desktops and servers from unauthorized access and on the procedures for handling sensitive data for business purposes.
In certain circumstances, information systems can be penetrated by a deliberate attack. Most often such penetrations are done by hackers specifically looking for information to steal. Employee fraud, impersonation or theft are other deliberate means to access data. Approximately 64% of breaches occurred from attacks in higher education in 2009.
Places where computer systems contain thousands of records with sensitive information, such as a medical center, financial administration area, bursar, human resource department or alumni office are more likely to be targeted by an attacker than smaller systems containing fewer records.
System owners should be regularly viewing access logs, updating access authorizations as employees come and go, as well as putting other protections in place to limit access to these systems for employees with a business need.