The experience of a large database security breach jim davis associate vice chancellor cio
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on
  • Presentation posted in: General

Securing California. The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO. What Does it Feel Like. Denial --> Acceptance Technical --> Personal Local --> Institutional [lost laptop different] Comfortable --> Vulnerable No longer the same. Agenda.

Download Presentation

The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The experience of a large database security breach jim davis associate vice chancellor cio

Securing California

The Experience of a Large Database Security BreachJim Davis Associate Vice Chancellor & CIO


What does it feel like

What Does it Feel Like

  • Denial --> Acceptance

  • Technical --> Personal

  • Local --> Institutional [lost laptop different]

  • Comfortable --> Vulnerable

  • No longer the same


Agenda

Agenda

  • Decision to notify

  • Notification

  • Email, Letters, Call Center, Website, Media, Calls

  • People, People, People

  • Aftermath

  • Lessons Learned


Ucla security incident

UCLA Security Incident

Attack detected November 21, 2006

Incident Response Plan put into action

  • Took server offline

  • Appropriate notifications and engaged FBI

  • Began forensic analysis of logs

    Sophisticated attack, activity concealed


Ucla security incident1

UCLA Security Incident

Compromised database contained records for 803,000 persons

  • Current & Former Students (UCLA)

  • Current & Former Employees (UCLA, UCOP, UCM)

  • Applicants (UCLA)

  • Parents of Financial Aid Applicants (UCLA)

    Contained Names & SSNs

  • No Drivers License, Credit Card or Bank Account numbers


Decision to notify

Decision to Notify

  • Notification authority rests with CIO

  • Well-established incident response protocol

  • The decision panel

    • ISO

    • IPO

    • Dir responsible for breached database operation

    • Campus network architect

    • Legal counsel

    • UC IPO


The experience of a large database security breach jim davis associate vice chancellor cio

Determining the Threshold for Security Breach Notification

  • Primary notification criteria


The experience of a large database security breach jim davis associate vice chancellor cio

The Important Additional Criteria

The University of California recommends consideration of these additional factors:


Decision tensions

Decision Tensions

  • Big difference in impact on institution between 10’s 000 vs. 100’s 000 of notifications

  • Big difference in logistics to notify between 10’s 000 and 100’s 000

  • Wait too long to notify, not responsive

  • Wait too long to notify, lose capacity to manage relationships

  • Notify too quickly, not prepared to manage relationships

  • Notify too many, too quickly unnecessary alarm

  • Informed people protect themselves better

  • UCLA’s philosophical position on individual privacy is to keep people informed


Notification logistics

Notification Logistics

  • Notification process project managed by executive lead of unit

    • Federated environment

    • Policy puts primary resource burden on unit

  • Notification logistics and execution team

    • Unit Executive Head

    • Dir responsible for breached database operation

    • CIO

    • ISO

    • IPO

    • Campus network architect

    • Legal counsel

    • Media and communications

  • Functioned like an emergency response team


The decision chart

The Decision Chart

Notification Decision

Notification Process

800 K

Notification

#

Notification

Effort

800K Notification

Decision

Large Notification

Logistics Decision

Week 1

Week 2

Week 3

Week 4


Notification

Notification

Decided to notify 803,000

  • Email, US Mail

    • Addresses for 70%

  • Press releases and media reports

    • News outlets California, nation and world

    • LA Times, NY Times, AP, CNN, all local TV stations

  • www.identityalert.ucla.edu

  • 26 Call Centers, 1600 Operators

    • 1000 calls/hour initially

    • 35,000 calls received to date

    • 400 follow-up calls

  • Reached 75-80% of affected population

    • Institutional relationship maintained


Scripting for a call center

Scripting for A Call Center

  • Script must be precise, thorough and ‘bullet – proof’

  • Script and operators must be amenable to immediate corrections and enhancements

  • Script must allow for quick and simple coding into a database


Adjusting the script

Adjusting the Script:

Original Script Greeting:

“Thank you for calling the UCLA Identity Alert Hotline. I would like to assist you. UCLA knows that this incident has caused concern, and I want to provide you with the information and suggest steps you can take to protect yourself from the possibility of identity theft. So that I can better assist, can you please tell me whether you received notification from the university or whether you heard about the call center from news media reports?”

Script 1 hour Later:

“Thank you for calling the UCLA Identity Alert Hotline. How may I help you?”


Call center statistics december 2006 august 2007

Call Center Statistics:December 2006 – August 2007


Http www identityalert ucla edu

http://www.identityalert.ucla.edu/

Gwen’s website slides here


Http www identityalert ucla edu what you can do htm

http://www.identityalert.ucla.edu/what_you_can_do.htm

Gwen’s website slides here


Identity alert web statistics december 2006 september 2007 and 1 07 9 07

Identity Alert Web Statistics:December 2006 – September 2007 (and 1/07-9/07)


Need for escalation path

Need for Escalation Path

  • Call center serves specific role:

  • Validation, resource referral and data collection

  • BUT…

  • Callers are frightened, frustrated, angry, panicked, indignant, hurt and

  • Need to know more details

  • Need to speak with a UCLA representative who can respond knowledgeably, accurately and honestly

  • Need empathy

  • Need reassurance and assistance regarding next steps


Individual relations

Individual Relations

  • The largest group

    • Felt violated, anxious

    • Wanted a live person

      • Answers

      • Reassurance

      • Clarification

      • Empathy

  • Smaller group

    • Information & answers

  • 2% angered and distraught

    • Demanded to speak UCLA official

    • 600 individual calls


Angry irate distraught examples of escalation call questions

“Angry, Irate, Distraught”:Examples of Escalation Call Questions

“How did UCLA let this happen?”

“The last letter I received from UCLA was a rejection letter, and now I get this. Why was I in your database?”

“I just got a letter! Does that mean my identity has been stolen?”

“Who was fired? I want to know who’s responsible for this!”

“This is tremendously upsetting and it’s time-consuming to fix. How is UCLA going to make this right for me?”

“My child got this letter, and he was killed last year. What should I do?”


The experience of a large database security breach jim davis associate vice chancellor cio

Post Notification Chart

Notification Decision

Notification Process

Compliance

Reviews

800 K

Notification

#

Notification

Effort

Decision to

Contact 28,600

Week 4

Week 5

Week 6

Week 7


Follow up letter

Follow-up Letter

Personalized


Breach aftermath

Breach Aftermath

  • Policy and compliance reviews - no compliance issues

    • UC Office of General Counsel

    • State Attorney General

    • UC Board of Regents

  • SSN policies - no compliance issues

    • Sparked broader initiatives at state and federal levels on use of SNNs

    • State representative and judiciary

    • FTC

  • Notification laws - Senator Feinstein

  • Constituency relations

    • Relations with university generally retained

    • No identity theft directly attributable


Reducing retention of personal data

Reducing Retention of Personal Data

Every SSN had a requirement

  • Financial Aid reporting

  • Federal Tax Relief Act tuition tax credit

  • Test scores

  • National Student Clearinghouse

  • IRS & EDD

  • Identity Matching


Uc wide information security

UC-wide Information Security

  • Policy development and communication:

    - UC Electronic Information Security Policy

    - Stewardship of Electronic Information Resources

  • Compliance strategies: (e.g. HIPAA, California Security Breach legislation, Payment Card Industry data security, security rider for vendor contracts)

  • Shared resources: (E.g. UC Security web site; security software & professional services agreements; UC security experts work group)

  • Information collection and dissemination:

    - Tracking security breaches and sharing information

    - Raising awareness of the importance of information security


Lessons learned

Lessons Learned

  • Independent and objective panel for deliberations about whom to notify

  • Provisions for confidentiality

  • Ensure the call center and web site are ready when notification begins

  • Spend time setting up the call center

  • Notify through different channels

  • Only solid information will cut


In the end it s personal

In the end it’s personal

Notify if YOU would want to be notified

Notify as YOU would want to be notified

Sincerity Drives the Day


  • Login