Home > Insight

Metro blows $500k on quick fix
By Matthew Quane
mquane@mscd.edu

When a laptop containing the personal data of Metro students was stolen from an employee’s home in March, 93,000 students’ social security numbers were released into the realm of possible identity theft.

Though the event was considered a crisis by the administration, there have been no reports of stolen identities from the laptop.

Of course, if Metro had a school-wide encryption policy at the time, the concern over lost data would be negligible, as thieves’ tools generally include lock picks or crowbars, not decryption software.

Even data thieves, as a whole, do not have the wherewithal to break encrypted documents. Rather, they steal identities through packet-sniffing or phishing, where the thief assumes the role of an authority figure and asks users for login information or other personal data.

But now Metro sits six months out of the scandal, and Business Consultants, Inc. has finally given Metro $500,000 worth of services and recommendations to increase data security on campus and on portable computers.

In Jordan’s letter to students and faculty, he outlines four major changes that will take place “in response to the most critical areas of exposure identified by BCI.”

The Information Technology department will begin to scan state laptops for personal data and, where the confidential data are authorized for use, it will be encrypted. It seems Metro has finally decided to reverse its backwards views on encryption policy.

Encryption software is incredibly cheap – sometimes even free – and relatively easy to use. If the administration were to walk into any computer science class and ask the students how to protect sensitive data, they would receive the same answer from just about everyone. Encrypt the data and limit access to the most sensitive bits.

Is that answer worth half a mil? No. But Metro paid for it anyway.

The second suggestion from BCI (surprise, surprise) is to place stronger limits on employees’ access to data in Banner, the network in which all student data – from class schedules to social security numbers – are stored. Daniel Parks, associate director of admissions and data management, from whose home the laptop was stolen, accessed the data through Banner and was using it to file paperwork for a Title III grant on behalf of Metro.

However, instead of deleting the data after the grant had been filed, Parks kept it as a source for his master’s thesis at UCD. While Metro has absolved Parks of any wrongdoing, I cannot help but mark his transgression as an egregious lack of judgment and responsibility – our data manager managed our most sensitive data into the hands of a thief.

I understand that it’s improper to blame the victim, but responsibility fell directly on Parks and his supervisor. Associate Vice President of Academic Affairs David Conde was aware of Parks using the information for his thesis but claims not to have been asked for permission. Conde told The Metropolitan he felt “confident” in Parks and was aware of his high-level Banner access. Conde’s trust must have been misplaced.

Jordan claims in his open letter that Metro will also begin to strengthen password requirements. When I attempted to test this, I found that I could easily revert my password to previous entries and shorten passwords to a six-character minimum.

I guess this policy must be in the process of being implemented. The ability to reuse former passwords is considered a security exploit even by Microsoft Windows’ standards.

Fourth on the list of security improvements comes the enforcement of shortening session time-outs.

This time-out annoyance, while aimed at lackadaisical users who forget to log out from their terminals and leave their Banner information exposed, does nothing to address the real issue – the carelessness of the Metro administration. Meanwhile, responsible users are inconvenienced.

Metro blew a lot of cash to receive only two suggestions from BCI, to encrypt and limit user access to data, that actually confront the problems created by Metro’s archaic views on data security. The other solutions serve as punishment to responsible students and faculty.

Sorry, Mr. Jordan, but frivolous spending on obvious solutions is no way to make up for a poorly handled crisis.