ROTC Computer Files Found in the Public Domain
Technology error exposes personal information
A file transfer program erroneously installed on a server in an Army Reserve Officers’ Training Corps (ROTC) office at Boston University inadvertently exposed personal information about thousands of people affiliated with the program. University officials say the compromised computer was taken off-line when the breach was identified on July 28; they are working with the U.S. Army Cadet Command to contact every person whose information was placed at risk.
The incident involved information on 6,675 people, say University administrators, 406 of whom are affiliated with BU. Officials believe the rest come from ROTC branches around the country.
Tracy Schroeder, BU’s vice president for information systems and technology, says the University moved quickly to take the computer off the BU network and secure it.
“We have done everything possible to conduct a thorough analysis of the data, notify affected individuals, and identify steps to prevent such accidents in the future,” says Schroeder. “We know that people trust the BU network, and we are committed to maintaining that trust.”
The security breach was discovered at approximately 2 p.m. on Friday, July 28, by Andrew B. Binder, a network administrator for the California-based Alfred Mann Foundation, a nonprofit medical research foundation. Binder, a U.S. Navy reservist who reports that he has been a victim of identity theft twice in recent years, says he was searching the Web for software to help connect to a military Web site when he came upon documents containing personal data.
“I didn’t want to see my brothers go through what I went through with identity theft,” says Binder, who called BU to warn of the vulnerability. He informed James H. Stone, director of consulting services in Information Systems & Technology and a high-technology crime investigator, who took the compromised file server off-line.
An investigation has revealed that the information, which includes social security numbers and some birth dates, had been exposed since last September, when an ROTC member installed a file transfer program on an ROTC server. That installation, conducted without consultation with the University, placed information in the public domain.
Douglas Sears, associate provost and assistant to the president for outreach and special initiatives and director of BU’s Division of Military Education, says he is pleased with the forthrightness of military colleagues, led by Lt. Colonel Scott Williams, a professor and chairman of the Department of Military Science, who worked with University officials to find out what occurred and to address the problem.
“Obviously we are distressed that personal information may have been compromised because of an error within our unit,” says Sears. “The University has moved quickly to address the issue and to make available to possibly affected individuals the appropriate means for ensuring they do not become victims of identity theft. We will work with Vice President Schroeder and her staff to implement controls and procedures that will ensure that information is properly stored, protected, and removed when no longer needed.”
Schroeder says the University has purchased an excellent identity theft protection service to work with anyone whose identity was stolen. A third-party security vendor, Protiviti, Inc., also has been hired to investigate the breach and make recommendations about how to prevent data leaks. She says the University is working with the U.S. Army Cadet Command to send letters to everyone whose information was made available and has notified Massachusetts Attorney General Martha Coakley (LAW’79) and other regulatory agencies.
Art Jahnke can be reached at firstname.lastname@example.org Comments