It's embarrassing for an organization when a hacker punches through its network security and accesses sensitive data. For people like Kelly Savio, it's a never-ending nightmare.
As a journalism student, Savio worked at San Diego State University, where a hacker broke into the financial aid department's computer records in December and accessed Social Security numbers and other confidential information. Savio found out about it from her boss when an internal e-mail was sent to department administrators in February, but she didn't receive official notification that her information was compromised until March -- when the school was on spring break.
"I later found out that up to 100,000 were affected," Savio said. "It wasn't just people attending the university. It was faculty and staff, anyone who had ever applied -- a whole range of people. I was having a panic attack. I thought my credit rating would be ruined. I've been incredibly lucky because my information wasn't used. But I'll always have to be alert because my Social Security number is still floating around out there, and I've talked to people whose information was used."
The university, which didn't return calls for comment, joins a growing list of institutions that have suffered a security breach in recent months. Others include San Jose, Calif.-based network giant Cisco Systems, which acknowledged last month that source code had been stolen from its network; and computer distributor Ingram Micro Inc. of Santa Ana, Calif., which disclosed in a May letter to former and current employees that it had detected unauthorized access to computer systems containing names and personal identification, such as Social Security and passport numbers, according to media reports.
Several laws require that institutions protect sensitive data stored in computer networks and acknowledge when information is compromised, including the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Gramm-Leach-Bliley and the California Security Breach Notification Act. While most institutions appear to be complying with those laws, they continue to struggle over the speed and extent to which they should acknowledge problems.
As far as Savio is concerned, "Any organization that discovers it has been compromised has to understand there will be a level of panic from those who find out their information has been stolen. Extraordinary effort should be taken to notify people as soon as possible, and they must make someone available to talk to people who may be concerned. They really need to show that they are doing everything they can to protect our information and notify us when something happens."
Jonathan Bingham is president of Intrusic Inc. of Waltham, Mass., which specializes in trying to prevent network break-ins from within a company. A soon-to-be released Michigan State University study suggests as many at 70% of information security attacks originate with current and former employees. He's convinced most companies have been compromised at some level, and that it can be very difficult to detect intruders.
"Companies can no longer do business inside their own walls," he said. "You have more interconnection, more potential for someone from the outside to get in disguised as a legitimate user. What happens when someone gets in the network and they're not who they say they are? That's a huge problem for big companies. A hundred thousand people who aren't full-time employees can access your network and inject security problems. There are people out there trading user names and passwords, like trading baseball cards. Because the Internet cloaks identities, you never know who you're dealing with."
While institutions can't prevent future network break-ins by disclosing problems they've already had, Bingham agrees that "when customers are affected, you have to let them know immediately."
"I've seen university studies that show a negative effect on organizations that are hacked," he said. But from a public relations standpoint, he added, silence can be as damaging as the break-in itself.