Western Illinois University

How to Overcome an Unwanted Legacy

Seek-N-Secure® Helps University Clean Up 25 Years' Worth of Problem Data

  • Macomb, Illinois
    Moline Illinois (commuter campus)
  • Public university
  • Founded: 1899
  • Enrollment: 13,400
  • Featured TouchNet technology: Seek-N-SecureĀ®

According to the Privacy Rights Clearinghouse, nearly 350 million records containing sensitive personal information have been compromised in data security breaches since January 2005. Western Illinois University accounted for 180,000 of them after a multi-server hacking incident in June 2006.

Following the breach, the university went to great lengths to secure the personal data in its system from that day forward. Little did the school know that plenty of potentially damaging data was still lingering from long ago. TouchNet Seek-N-Secure helped them find it.

Data at Rest, Campus at Risk
Michael Rodriguez, Western Illinois' chief technology security officer, hypothesized that if the 2006 breach happened today, the university could be looking at a multi-million dollar expense, based on a 2009 Ponemon Institute study that reported an average of $204 per compromised record.

Following the 2006 breach, the institution made major investments in data security technology and strategy. It created a C-level security position and brought in Rodriguez from the banking world. It also instituted a policy to protect student Social Security numbers, which for years had also been used as student ID numbers.

"That was a great first step," Rodriguez said. "The problem was, there was no systematic university-wide effort to enforce its data protection policies by proactively dealing with sensitive legacy data."

Eight months into his job, while investigating a virus that infected a number of university computers, Rodriguez and his team discovered that several of the machines they examined had Social Security numbers stored on the hard drives. "At the time I didn't know the full scope of the situation, but I suspected we had a problem."

Affordable Agents
It stood to reason that if the 10 machines he analyzed housed sensitive legacy data, many of the university's thousands of computers did too.

Rodriguez used the consumer version of well-known ID theft detection software to scan those 10 PCs. To systematically scan every campus computer, he would need the enterprise version, which carried a prohibitive price tag.

However, after talking to TouchNet at the 2009 EDUCAUSE security conference, Rodriguez learned of an effective, more affordable option.

"We had a pretty substantial legacy data problem, and I saw that the Seek-N-Secure product would potentially allow me to tackle the entire problem instead of only the portion we could afford in these economic times," he said.

TouchNet arrived on the scene that summer to install the console-based Seek-N-Secure (SNS) system and to assist in pushing the SNS agents to the first wave of machines to be scanned.

Lots of Needles, Haystacks
The university computers, both PCs and Macs, are all over campus. Rodriguez and his team started with the most active everyday machines of faculty and staff. Notices were sent to university employees, informing them that scans would be taking place and that the agents would be searching for Social Security and credit card numbers.

Here was the typical response he heard: "Oh, you're not going to find anything on this computer."

But in fact, in this first phase of proactive scanning, Social Security numbers were found in roughly 40 percent of the hard drives, and one in four contained credit card numbers.

"Some were older machines, some were newer," Rodriguez said. "I don't think universities are any different than large companies in that employees take their data with them as they move from position to position, or leave it on machines that others inherit. Few people pay any attention to data under their care, and even fewer will actively manage their data."

When the first round of scanning was complete, Seek-N-Secure found and helped clean over 25,000 credit numbers and well over 1 million Social Security numbers. "The numbers got large pretty quickly," Rodriguez said.

Rodriguez saw enough in the first round to recommend ongoing regular scanning. "I feel like we were well on our way to curing a 25-year-old problem in just seven months of intense work," he said.

Keeping it Clean
In addition to proactive, systematic scanning, Rodriguez said Seek-N-Secure is a good forensic tool.

"If we have an incident with a computer, we can use SNS to analyze the data on the machine," he said. "And we can periodically rescan machines in areas that regularly use this type of data. I don't think we'll ever get away from it completely, but I try to get people who have this data to understand their responsibility and proactively work with us to protect it."

In conversations with his peers at other colleges and universities, Rodriguez sees greater awareness of the risks associated with data at rest, but not a lot of action yet.

"I think universities in particular are hesitant to deal with legacy data like this," he said. "It's a daunting task with very real political implications, but it has to be dealt with. I tell them to use a product like Seek-N-Secure and begin telling their own story."

He added that university buy-in is critical, especially at high levels.

"I work to find ways to communicate to upper management that we're dealing with the issue of legacy sensitive data on university computers, and that for a change we are actually ahead as an institution of legislation like the upcoming Identity Protection Act in the state of Illinois," Rodriquez said. "I use numbers a lot ... like credit card numbers being in 25 percent of our machines. I tell them that on average it costs $204 to report one compromised record, but I can find and clean the same record for just pennies using Seek-N-Secure."

Download PDF

Western Illinois University

How to Overcome an Unwanted Legacy

Seek-N-Secure® Helps University Clean Up 25 Years' Worth of Problem Data

  • Macomb, Illinois
    Moline Illinois (commuter campus)
  • Public university
  • Founded: 1899
  • Enrollment: 13,400
  • Featured TouchNet technology: Seek-N-SecureĀ®

According to the Privacy Rights Clearinghouse, nearly 350 million records containing sensitive personal information have been compromised in data security breaches since January 2005. Western Illinois University accounted for 180,000 of them after a multi-server hacking incident in June 2006.

Following the breach, the university went to great lengths to secure the personal data in its system from that day forward. Little did the school know that plenty of potentially damaging data was still lingering from long ago. TouchNet Seek-N-Secure helped them find it.

Data at Rest, Campus at Risk
Michael Rodriguez, Western Illinois' chief technology security officer, hypothesized that if the 2006 breach happened today, the university could be looking at a multi-million dollar expense, based on a 2009 Ponemon Institute study that reported an average of $204 per compromised record.

Following the 2006 breach, the institution made major investments in data security technology and strategy. It created a C-level security position and brought in Rodriguez from the banking world. It also instituted a policy to protect student Social Security numbers, which for years had also been used as student ID numbers.

"That was a great first step," Rodriguez said. "The problem was, there was no systematic university-wide effort to enforce its data protection policies by proactively dealing with sensitive legacy data."

Eight months into his job, while investigating a virus that infected a number of university computers, Rodriguez and his team discovered that several of the machines they examined had Social Security numbers stored on the hard drives. "At the time I didn't know the full scope of the situation, but I suspected we had a problem."

Affordable Agents
It stood to reason that if the 10 machines he analyzed housed sensitive legacy data, many of the university's thousands of computers did too.

Rodriguez used the consumer version of well-known ID theft detection software to scan those 10 PCs. To systematically scan every campus computer, he would need the enterprise version, which carried a prohibitive price tag.

However, after talking to TouchNet at the 2009 EDUCAUSE security conference, Rodriguez learned of an effective, more affordable option.

"We had a pretty substantial legacy data problem, and I saw that the Seek-N-Secure product would potentially allow me to tackle the entire problem instead of only the portion we could afford in these economic times," he said.

TouchNet arrived on the scene that summer to install the console-based Seek-N-Secure (SNS) system and to assist in pushing the SNS agents to the first wave of machines to be scanned.

Lots of Needles, Haystacks
The university computers, both PCs and Macs, are all over campus. Rodriguez and his team started with the most active everyday machines of faculty and staff. Notices were sent to university employees, informing them that scans would be taking place and that the agents would be searching for Social Security and credit card numbers.

Here was the typical response he heard: "Oh, you're not going to find anything on this computer."

But in fact, in this first phase of proactive scanning, Social Security numbers were found in roughly 40 percent of the hard drives, and one in four contained credit card numbers.

"Some were older machines, some were newer," Rodriguez said. "I don't think universities are any different than large companies in that employees take their data with them as they move from position to position, or leave it on machines that others inherit. Few people pay any attention to data under their care, and even fewer will actively manage their data."

When the first round of scanning was complete, Seek-N-Secure found and helped clean over 25,000 credit numbers and well over 1 million Social Security numbers. "The numbers got large pretty quickly," Rodriguez said.

Rodriguez saw enough in the first round to recommend ongoing regular scanning. "I feel like we were well on our way to curing a 25-year-old problem in just seven months of intense work," he said.

Keeping it Clean
In addition to proactive, systematic scanning, Rodriguez said Seek-N-Secure is a good forensic tool.

"If we have an incident with a computer, we can use SNS to analyze the data on the machine," he said. "And we can periodically rescan machines in areas that regularly use this type of data. I don't think we'll ever get away from it completely, but I try to get people who have this data to understand their responsibility and proactively work with us to protect it."

In conversations with his peers at other colleges and universities, Rodriguez sees greater awareness of the risks associated with data at rest, but not a lot of action yet.

"I think universities in particular are hesitant to deal with legacy data like this," he said. "It's a daunting task with very real political implications, but it has to be dealt with. I tell them to use a product like Seek-N-Secure and begin telling their own story."

He added that university buy-in is critical, especially at high levels.

"I work to find ways to communicate to upper management that we're dealing with the issue of legacy sensitive data on university computers, and that for a change we are actually ahead as an institution of legislation like the upcoming Identity Protection Act in the state of Illinois," Rodriquez said. "I use numbers a lot ... like credit card numbers being in 25 percent of our machines. I tell them that on average it costs $204 to report one compromised record, but I can find and clean the same record for just pennies using Seek-N-Secure."

Download PDF