UC Irvine Students and Tax Returns
A recent story about UC Irvine graduate students and the impact of an unknown data breach has come to the public knowledge in a report from SANS NewsBites. A total of 155 people, who were all graduate students, had been informed when they filed their tax returns that they had been already filed and tax returns received by somebody else.
When this was first reported, I thought it was going to indicate that personal information was leaked from a university-owned data source, but it turns out that the common factor among these students was their health insurance provider. Pretty much all the information needed to conduct this type of fraud, the filing of electronic tax returns, is maintained by health insurers.
According to the recently published "2008 Data Breach Investigations Report" by the Verizon Business RISK Team, key statistics of the 500 breaches studied had:
18 percent of the breaches studied were caused by insiders
30 percent involved multiple parties
39 percent were implicated by business partners
79 percent resulted from external sources
Without any facts at hand particular to the case, this looks to me like an "all of the above" incident.
In comparison to the data breaches of thousands or millions of personnel records, which are often observed as the result of a stolen laptop or server break-in, the actual impact to the victims is not easily measured. In this case, a relatively small group of persons experienced a tangible impact.
This type of data breach with resulting fraud commission highlights the increasing value of data, and reminds me that there is palpable risk in the IT operations between business partners and universities. As more economies of scale improve for data handling and service outsourcing, attention to the basics of security and information handling are well justified.
|
