back to article Attacker steals personal data of 200K+ people with links to Arizona tech school

An Arizona tech school will send letters to 208,717 current and former students, staff, and parents whose data was exposed during a January break-in that allowed an attacker to steal nearly 50 types of personal info. The East Valley Institute of Technology (EVIT) said a "cyber incident that involved unauthorized access to the …

  1. Tron Silver badge

    That is a Chinese level of data monitoring.

    Although I don't see inside leg measurement and favourite sexual position, almost everything else is on there. And this is just for students?!

    The more information you hold, the more of a honeypot you are. You should never store data you don't need. If you do genuinely need it, store it on a system that is not connected to the internet in any way, or better still, on paper in a file in a locked room.

    You are painting a target on your back and on the back of everyone you hold data on if you demand that much data and then store it on a system connected to the internet.

    It would be nice if folk in relevant positions read about this and audited the information they held, and the way they held it, erased anything they didn't need and moved the rest offline. But that never seems to happen. Maybe the fines need to be much larger, and levied upon the individuals responsible for data storage as well as the companies they work for.

    1. sitta_europea Silver badge

      Re: That is a Chinese level of data monitoring.

      Yeah, I like that bit about holding individuals to account.

      They just hide behind limited corporate liability.

    2. sev.monster Silver badge

      Re: That is a Chinese level of data monitoring.

      Sorry to burst your bubble, but every higher ed school (uni, college, etc) collects and stores this information in their SIS. Whether or not it's good, it's standard practice. Much of it is required to be retained for regulatory compliance: those very same audits you want already exist and are done at least yearly or sometimes more often, but they are designed to ensure universities hold on to data as much as to safeguard it.

      This was likely a direct breach of the SIS, based on the data they say was exfiltrated. Pretty much the worst thing that can happen. It's likely the systems were not connected to the Internet directly, but some API was exploited or they gained access to internal networks. Due to how these places are structured, complete isolation is not possible, and tons of APIs hook into the data at any one time. Could be a report was found on an insecure FTP sever somewhere too; it's amazing the number of cloud companies and integrations require you to dump tens of thousands of records into a CSV and push it to some FTP (no, not SFTP or FTPS, just FTP, our systems don't support anything else) site.

      Hopefully it was an Ellucian product that was exploited, so we can continue to collectively shit on them as an industry.

      1. Anonymous Coward
        Anonymous Coward

        Re: That is a Chinese level of data monitoring.

        Yeah, and until the 1990's your student ID was your SSN (or other national ID number for foreign students).

      2. Snake Silver badge

        Re: burst your bubble

        They certainly do *not* need to know your:

        Medical record number

        Treatment location

        Treatment type

        Prescription information

        Treatment information

        Patient account number

        Mental or physical treatment

        Diagnosis code

        and I'm reasonably sure that their breach, with that level of information, flagrantly violates HIPAA and they should be sued for retaining this data with the obvious level of rotten data security. I'd LOVE to see that, they have no right to extremely personal medical details just because you attend a class there.

        1. An_Old_Dog Silver badge

          Re: burst your bubble

          The reason they might have that info on a student is that that student used the student health service.

          1. sev.monster Silver badge

            Re: burst your bubble

            Correct. Some universities even have their own on-site doctors and practices. Mine does, with free checkups for employees and reduced prescription prices, filled on-site. It's the perfect place for nurses in training, and provides a great benefit to the university community at the same time. Now, that data isn't typically (or shouldn't be) stored in the SIS, but who knows how they organized that stuff at EVIT.

            As long as it's HIPAA-compliant and the audits pass, they haven't done anything wrong. Maybe morally objectionable @Snake, but at least nothing legally wrong.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like