IT on Campus

• Access to Campus IT Systems
• Advisory Groups
• Campus Projects
• Events
• IT Strategic Plan
• News
• Training

What happened with DoIT ID exposure

Thursday, January 17, 2008

You may have read in the news of a recent exposure of customer data obtained from purchases made through the DoIT Tech Store.  Here is what happened. Near the end of November, PhotoID and email information was inadvertently made available in an obscure DoIT site on the Internet.  The incident was revealed when someone reported to DoIT that he googled his ID Number and a screen appeared in which his ID data was visible on a UW Web site used to aggregate web usage statistics.
 
The data elements were the UW Photo ID number and email address. There were 13 reports available on the UW web site.  One of the 13 reports (the annual report page) contained the information and had been cached on Google, though not easily accessible or searchable. We counted about 60 accesses to the information on the web server over six months. We notified the 205 people affected. The Tech Store did not create the reports that were mistakenly exposed.
 
The data exposure was corrected, and stricter access controls were placed on the statistics Web page. At some point soon, the campus will mandate that all ID cards containing SSNs be disabled for electronic identification. In the meantime, if you or a colleague still has a SSN- based UW ID, please go to Union South to get another one. If you bring your old ID with you, the replacement is free. See: http://www.union.wisc.edu/photoid/ for details.
 
DoIT goes to great lengths to make sure that your transactions at the Tech Store are managed in an expedient, safe manner. We are very sorry for this error, and have taken steps to make sure it never happens again.
 
As a campus, we need to redouble our efforts to look for and fix web applications that use campus ID. I hope that all campus departments take this mis-step as an opportunity to look at the security of applications across campus. If you have any questions about whether or not your department applications are secure, contact your department IT person, or abuse@wisc.edu.

Ron Kraemer
CIO and Vice Provost of
Information Technology