1 / 28

The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO

Securing California. The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO. What Does it Feel Like. Denial --> Acceptance Technical --> Personal Local --> Institutional [lost laptop different] Comfortable --> Vulnerable No longer the same. Agenda.

jasper
Download Presentation

The Experience of a Large Database Security Breach Jim Davis Associate Vice Chancellor & CIO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing California The Experience of a Large Database Security BreachJim Davis Associate Vice Chancellor & CIO

  2. What Does it Feel Like • Denial --> Acceptance • Technical --> Personal • Local --> Institutional [lost laptop different] • Comfortable --> Vulnerable • No longer the same

  3. Agenda • Decision to notify • Notification • Email, Letters, Call Center, Website, Media, Calls • People, People, People • Aftermath • Lessons Learned

  4. UCLA Security Incident Attack detected November 21, 2006 Incident Response Plan put into action • Took server offline • Appropriate notifications and engaged FBI • Began forensic analysis of logs Sophisticated attack, activity concealed

  5. UCLA Security Incident Compromised database contained records for 803,000 persons • Current & Former Students (UCLA) • Current & Former Employees (UCLA, UCOP, UCM) • Applicants (UCLA) • Parents of Financial Aid Applicants (UCLA) Contained Names & SSNs • No Drivers License, Credit Card or Bank Account numbers

  6. Decision to Notify • Notification authority rests with CIO • Well-established incident response protocol • The decision panel • ISO • IPO • Dir responsible for breached database operation • Campus network architect • Legal counsel • UC IPO

  7. Determining the Threshold for Security Breach Notification • Primary notification criteria

  8. The Important Additional Criteria The University of California recommends consideration of these additional factors:

  9. Decision Tensions • Big difference in impact on institution between 10’s 000 vs. 100’s 000 of notifications • Big difference in logistics to notify between 10’s 000 and 100’s 000 • Wait too long to notify, not responsive • Wait too long to notify, lose capacity to manage relationships • Notify too quickly, not prepared to manage relationships • Notify too many, too quickly unnecessary alarm • Informed people protect themselves better • UCLA’s philosophical position on individual privacy is to keep people informed

  10. Notification Logistics • Notification process project managed by executive lead of unit • Federated environment • Policy puts primary resource burden on unit • Notification logistics and execution team • Unit Executive Head • Dir responsible for breached database operation • CIO • ISO • IPO • Campus network architect • Legal counsel • Media and communications • Functioned like an emergency response team

  11. The Decision Chart Notification Decision Notification Process 800 K Notification # Notification Effort 800K Notification Decision Large Notification Logistics Decision Week 1 Week 2 Week 3 Week 4

  12. Notification Decided to notify 803,000 • Email, US Mail • Addresses for 70% • Press releases and media reports • News outlets California, nation and world • LA Times, NY Times, AP, CNN, all local TV stations • www.identityalert.ucla.edu • 26 Call Centers, 1600 Operators • 1000 calls/hour initially • 35,000 calls received to date • 400 follow-up calls • Reached 75-80% of affected population • Institutional relationship maintained

  13. Scripting for A Call Center • Script must be precise, thorough and ‘bullet – proof’ • Script and operators must be amenable to immediate corrections and enhancements • Script must allow for quick and simple coding into a database

  14. Adjusting the Script: Original Script Greeting: “Thank you for calling the UCLA Identity Alert Hotline. I would like to assist you. UCLA knows that this incident has caused concern, and I want to provide you with the information and suggest steps you can take to protect yourself from the possibility of identity theft. So that I can better assist, can you please tell me whether you received notification from the university or whether you heard about the call center from news media reports?” Script 1 hour Later: “Thank you for calling the UCLA Identity Alert Hotline. How may I help you?”

  15. Call Center Statistics:December 2006 – August 2007

  16. http://www.identityalert.ucla.edu/ Gwen’s website slides here

  17. http://www.identityalert.ucla.edu/what_you_can_do.htm Gwen’s website slides here

  18. Identity Alert Web Statistics:December 2006 – September 2007 (and 1/07-9/07)

  19. Need for Escalation Path • Call center serves specific role: • Validation, resource referral and data collection • BUT… • Callers are frightened, frustrated, angry, panicked, indignant, hurt and • Need to know more details • Need to speak with a UCLA representative who can respond knowledgeably, accurately and honestly • Need empathy • Need reassurance and assistance regarding next steps

  20. Individual Relations • The largest group • Felt violated, anxious • Wanted a live person • Answers • Reassurance • Clarification • Empathy • Smaller group • Information & answers • 2% angered and distraught • Demanded to speak UCLA official • 600 individual calls

  21. “Angry, Irate, Distraught”:Examples of Escalation Call Questions “How did UCLA let this happen?” “The last letter I received from UCLA was a rejection letter, and now I get this. Why was I in your database?” “I just got a letter! Does that mean my identity has been stolen?” “Who was fired? I want to know who’s responsible for this!” “This is tremendously upsetting and it’s time-consuming to fix. How is UCLA going to make this right for me?” “My child got this letter, and he was killed last year. What should I do?”

  22. Post Notification Chart Notification Decision Notification Process Compliance Reviews 800 K Notification # Notification Effort Decision to Contact 28,600 Week 4 Week 5 Week 6 Week 7

  23. Follow-up Letter Personalized

  24. Breach Aftermath • Policy and compliance reviews - no compliance issues • UC Office of General Counsel • State Attorney General • UC Board of Regents • SSN policies - no compliance issues • Sparked broader initiatives at state and federal levels on use of SNNs • State representative and judiciary • FTC • Notification laws - Senator Feinstein • Constituency relations • Relations with university generally retained • No identity theft directly attributable

  25. Reducing Retention of Personal Data Every SSN had a requirement • Financial Aid reporting • Federal Tax Relief Act tuition tax credit • Test scores • National Student Clearinghouse • IRS & EDD • Identity Matching

  26. UC-wide Information Security • Policy development and communication: - UC Electronic Information Security Policy - Stewardship of Electronic Information Resources • Compliance strategies: (e.g. HIPAA, California Security Breach legislation, Payment Card Industry data security, security rider for vendor contracts) • Shared resources: (E.g. UC Security web site; security software & professional services agreements; UC security experts work group) • Information collection and dissemination: - Tracking security breaches and sharing information - Raising awareness of the importance of information security

  27. Lessons Learned • Independent and objective panel for deliberations about whom to notify • Provisions for confidentiality • Ensure the call center and web site are ready when notification begins • Spend time setting up the call center • Notify through different channels • Only solid information will cut

  28. In the end it’s personal Notify if YOU would want to be notified Notify as YOU would want to be notified Sincerity Drives the Day

More Related