Today, I got a letter from my alma mater, Tufts University. The letter was a warning that information about 106,000 alumni has probably been stolen off a computer.
My first thought was, "WTF?!?" My next thought was, "That is so Tufts."
Let me expand those obviously highly condensed thoughts for those scoring the game at home.
Identity theft by electronic means has been prominently reported in the news for the last year or more. Almost every single week, one organization or another reveals that information about tens or hundreds of thousands of people has been stolen. Does the word "ChoicePoint" mean anything to anyone?!?
And yet, here are the nitwits at Tufts, motoring along in their business as usual mindset. Most likely, they thought that no one would ever target a small liberal arts college for computer crime.
One part of the letter reads:
Recently, Tufts detected abnormal activity on a server managed by an external vendor which supports the University's Advancement telefund operation. We immediately took steps to strengthen security for electronic records containing credit car and/or social security numbers.
Hey, nice work folks. I like how they strengthened security after someone had already cracked the system. How's that for shutting the barn door after the cows have already gotten out? That's like watching every house on your street suffer burglaries but doing nothing to increase the security of your home. Then, when your home is robbed, you express shock, and immediately run out and install a series of deadbolt locks on all the doors to your now empty house.
Did the dim bulbs in the Tufts IT department ever think about strengthening security before one of their systems got cracked? Did the thought that perhaps they should audit their security systems and protocols in light of the theft of information from Boston College, ChoicePoint, and others ever cross their little minds? Does Tufts offer a remedial course in network security and what will it take to get the Tufts IT department enrolled?
Learning from the experiences of others and assessing your own vulnerabilities are such utterly basic principles of security that I question exactly what the folks in Tufts IT do know. Clearly, they're not terribly familiar with network security.
Of course, no one will pay for their simpleton IT work with their jobs because the high muckety mucks (who don't know the difference between CAT5 and "Cats: The Musical") will be fed some stupid whitewash story by the IT head honcho. There will be some disappointed mumbling, a few pointed fingers, and the whole thing will disappear into the morass of college bureaucracy.
That leads me to my second thought.
Tufts could be a great university. It won't be, but it could. What ultimately holds it back is a general attitude among the students and faculty that nothing exciting or interesting ever happens there. Students leave campus to party at BC, BU, Harvard or MIT. Faculty run the gamut from great to University of Northern Antarctica rejects. For every competant staff member, there are four members of the bureaucracy that are so awful, I would gladly drop live weasels in my underpants if I could avoid dealing with those staff members ever again (hello, Bursar's Office).
Even while we were there, the IT department was struggling. This was back in the early, early days of the Internet when you pretty much had to be at a University to get online. All students got their e-mail through one mainframe and yet, you never saw such trouble getting one mainframe working. They had complete control of the computing environment and yet they just couldn't get things to work consistently and well.
There was never any real campus uprising about the problems. You never heard anyone complain. It was always just, "Oh, bummer. The mainframe is down again." There was no pressure put on the IT department to improve. There was no incentive for them to fix the problems once and for all. In short, it was as though no one cared.
That is what I mean when I say that this incident is so Tufts. The Tufts IT department clearly didn't care enough to audit their systems and protocols. They clearly didn't care enough to reinforce their network security. They clearly didn't expend enough effort educating their user base about what they, as users, could do to ensure the security of the network.
In addition, it is clear that the University's administration didn't care enough to question the University's IT department after reading about information theft from other organizations. Competant administrators would ask questions, offer to clear roadblocks, and in general, do their part to make sure that the network is secure. My guess is that the Tufts Regents and the University President don't have a clue what was done in light of the obvious threat to shore up the network.
So, Tufts paid for their malaise and incompetance. They spent $41,000 sending letters to thousands of alumni. They got written up in newspapers as yet another victim. And, they virtually ensured that every time they ask for an alumni's credit card number, the alumni will say, "Why don't I just post it on a billboard over a busy highway and save you the trouble."