It’s June and school is out for the summer, but that doesn’t mean these educational institutions are safe from identity thieves. Two universities made our data breach roundup this month; one breach appears to be intentional, while the other seems to be unintentional. Both, however, show how two very different circumstances can still put personal data at risk.
You will also read about two technology companies who suffered major data breaches—one breach affected 2,000 companies around the world, while the other impacted about 198 million American voters. And again, one company was directly attacked by a threat actor, while the other accidentally exposed personal data online.
Here are the recent data breaches that were making headlines in June 2017:
OneLogin, a company that allows users to manage logins to multiple sites and apps through a cloud-based platform, reported a serious data breach on May 31. Though the breach itself did not occur in June, the aftermath and cleanup has certainly taken over the month for countless businesses. OneLogin provides single sign-on and identity management for about 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers.
A threat actor obtained a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. The attack only last seven hours, but it was enough time for customer data to be compromised, including the ability to decrypt encrypted data. The full extent of the breach is still unknown.
University of Oklahoma
At the University of Oklahoma (OU), educational records dating back to at least 2002 were unintentionally exposed through incorrect privacy settings on the university’s document sharing system. OU’s student-run newspaper, The Oklahoma Daily, was the first to discover the breach and reported that in just 30 of the the hundreds of documents made publicly discoverable on Microsoft Office Delve, there were more than 29,000 instances in which students’ private information was made public to users within OU’s email system. Sensitive information included social security numbers, financial aid information, and grades. The file sharing service has been shut down until further notice.
Washington State University
A hard drive, locked inside an 85-pound safe, was stolen from a Washington State University storage unit in Olympia, WA. The hard drive contained the personal information—including social security numbers and health histories—of about one million people and had been used to store research the university had conducted for school districts, government offices, and other outside agencies. The university has reached out to individuals who may have been affected, but it says it has no current reason to believe the thief was able to get inside the locked safe and steal the data on the hard drive
Deep Root Analytics
Deep Root Analytics, a data analytics firm that had been previously hired by the Republic National Committee, suffered a breach when personal data for roughly 198 million American voters was exposed. The sensitive information—which includes names, dates of birth, home addresses, phone numbers, and voter registration details—was stored on an Amazon cloud server without password protection for almost two weeks in June. Deep Root has taken full responsibility, updated the access settings, and put protocols in place to prevent further access.
Check back next month to stay up to date on the most recent data breaches.