In May, a flaw in a supposedly private SFU database was discovered. The database, which held the contents of IT help tickets from 2013 to 2016, reportedly did not have the appropriate security measures activated.
According to director of university communications, Kurt Heinrich, “The privacy breach occurred on January 27, 2016, when IT Services inadvertently copied incidents, inquiries, and requests onto a server with an unprotected database during the transition to a new trouble ticketing system. The exposed database was discovered on May 16, 2016, and was taken offline on May 17, 2016.”
Though the information on the database is not the type typically sought after by hackers, chief information officer Mark Roman insisted that no breach in privacy is acceptable.
“We have a standard protocol that we follow for a security breach, so we make sure we follow all the government-defined protocols, we make sure the appropriate people are notified. Even if there was only one name and one piece of private information there, we have to follow the full protocol, and I think that’s appropriate.”
After the breach in security came to light, the university notified the affected individuals. An estimated total of 20,000 emails were accessible on the server through the Internet: roughly 12,000 SFU-based accounts and 8,000 non-SFU accounts, which were tied to over 100,000 IT requests.
Almost all of these requests pertained to tech inquiries and computer aid, but there’s no way to tell whether some contained private information that users did not want to be available to the public.
“[S]ometimes people do communicate more information in these things, like, they’re conveying a sense of urgency about the ticket, and it might explain the reason why, and sometimes the reason why might contain private information,” Roman told The Peak.
With the recent ransomware attack at the University of Calgary, the need for online privacy security seems more pertinent than ever. U of C had to pay a $20,000-ransom to get the university’s IT systems back from hackers due to improper server patching and mishandled management, as Roman suggested.
Luckily, the gravity of SFU’s situation is not comparable to that of U of C’s.
“There’s all kinds of horrible problems that happen when you manage these issues like the University of Calgary did. So we’re not there,” said Roman. “I don’t like these things happening, and we do our best to prevent them. But it’s not what happened to the University of Calgary, it’s a very different problem.”
As for whether this breach will impact SFU’s phishing email problem, both Roman and Heinrich seem doubtful. “I don’t think so, I don’t think they’re related,” said Roman on the matter. Each day of the 1.2 million messages sent to SFU emails, 1 million are spam and the university must work hard to block them.
Heinrich stated that “we have no evidence that there has been any misuse of the information contained in the database. That said, we are asking that any impacted students/staff/faculty monitor personal accounts and be vigilant for attempts at social engineering, spear phishing, and fraud.”
Moving forward, SFU will administer several preventative online security measures, including conducting an external audit, increasing security staff, forming a change advisory board, and hopefully implementing an artificial intelligence tool that is able to monitor suspicious online behaviour.
“These systems are so complex,” said Roman. “There’s 160 people in our central IT organization here, and we’re managing massive systems, and hugely complex systems. So we try really hard to do our best in terms of security.”
As for how SFU students and staff can help avoid liabilities to their personal online accounts, Heinrich advises them to “be vigilant for attempts at social engineering, spear phishing, and fraud; never share your passwords with anyone; and use anti-malware software and keep your computer and mobile device patches up-to-date.”
