CSU Computer System Flaw

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

In the spirit of sharing higher ed security incidents, I thought the
item below was particularly interesting.  Apparently, the description
below was originally published in the SANS Institute Bulletin and
brought to my attention via the privacy discussion list of CPSR -
Computer Professionals for Social Responsibility.  It illustrates the
number of groups who are watching higher ed closely with an interest in
information security incidents.  Anyone from CSU (or elsewhere) with
more or different information are welcome to comment.

-Rodney


-------- Original Message --------
Subject: [cpsr-privacy] Sleeping Better At Night Dept.
Date: Wed, 26 Mar 2003 12:48:36 -0500 (EST)
To: cpsr-privacy () cpsr org

I thought you all might enjoy this privacy-related item from
a recent SANS Institute bulletin. At least the university is
considering fixing the problem, now that everybody knows
about it.

--California State University Computer System Flaw Exposes Student and
Employee Data
(22 March 2003)
California State University (CSU) officials said they have known about
a vulnerability in the CSU computer system that exposes student and
employee personal data, including Social Security numbers, for years,
but did not plan to fix the problem because it would be too expensive.
Instead, employees had been asked to sign confidentiality agreements to
protect student and employee privacy. The vulnerability was revealed
in a state audit report released last week. A CSU spokesman said
they might reconsider their approach to the problem.
<http://www.fresnobee.com/local/story/6425479p-7370408c.html>
The audit report is available here: <http://www.bsa.ca.gov/bsa/>
CSU's response is available here: <http://cms.calstate.edu/>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.