Another day, another cybersecurity breach. The University of Northern Colorado (UNC) has reported that the personal information of 12 of its employees was compromised in a cybersecurity breach. UNC’s police department is looking into the breach and, at this time, there’s no clear timeline for when the investigation will be complete.
Hackers managed to breach UNC’s website, Ursa, which acts as the single point of access for students, faculty, and staff looking for resources and information. Using the stolen social security numbers of these 12 individuals, hackers were able to reset their Ursa passwords, gain access to the website, and download these employees’ electronic W2 forms, which contain details including residential addresses, wages, and tax information.
UNC’s post-breach response
The breach was detected by UNC’s cybersecurity monitoring system, which then notified the affected individuals. Once the breach was brought to UNC’s attention, they quickly disabled Ursa’s online password reset function. Now, as a temporary measure, users who want to reset their password have to call the university’s information management and technology office.
UNC did everything right when the breach was detected. They had a security solution in place that alerted the admins and affected users the moment the incident occurred. The university was also able to immediately disable the password reset option and promptly informed the police.
The need for the GDPR
While we commend UNC for how they handled this breach, we should also remember that there are many organizations who are still susceptible to this type of attack and, more alarmingly, lack the proper tools for the appropriate response to data breaches. Subpar security practices like these are exactly what compliance regulations like the General Data Protection Regulation (GDPR) are trying to overcome.
The GDPR’s strict requirements and huge non-compliance penalties (€20 million or four percent of an organization’s global annual turnover) make it stand out from all other regulations in the industry. When the GDPR goes into effect on May 25, 2018, any organization that targets consumers in the EU, processes the personal data of EU citizens, or monitors the behavior of EU data subjects will have to comply with its requirements.
These requirements aim to provide individuals with more control over how their personal data is handled by enterprises. The GDPR mandates that organizations enhance their security strategies to ensure data security at all levels, as well as prepare an outline of post-breach strategies to minimize the impact of attacks.
Looking at UNC’s recent data breach, you can see how their breach detection and response aligned with the GDPR’s requirements. Implementing a security system to identify a breach as soon as possible? Check. Notifying data subjects immediately following the breach? Check. Resolving the vulnerability that caused the breach to avoid further data leaks? Check.
Although stories of well-handled data breaches are rarer than we’d hope, UNC’s example shows that good IT security is doable. If you’re looking to set a good example with your organization’s IT security, check out our free GDPR resource kit.