Princeton Review Security Flaw Outed By Competitor

By Thomas Claburn

InformationWeek

August 20, 2008

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210101877

One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students.

The Princeton Review, an educational testing company, inadvertently exposed the personal data and test scores of tens of thousands of Florida students on its Web site, according to a report in The New York Times.

A spokesperson for The Princeton Review said the company has launched an internal investigation and declined to comment further.

According to The New York Times, a Web site configuration flaw made hundreds of files on the Princeton Review's Web site accessible over the Internet. One file reportedly contained information about 34,000 students and another contained names and birth dates of 74,000 students. The Times said that it informed the Princeton Review of the problem on Monday and that the testing service promptly closed the hole.

Such breaches are not uncommon: There were 446 publicly reported breaches in the U.S. in 2007 and some experts suggest that as few as 5% of breaches get publicly reported. To find out more about managing risk this year, InformationWeek quizzed nearly 2,000 IT professionals about their plans and priorities for securing their companies' assets. Download the 2008 report here (registration required).

Indeed, hardly a week goes by without the report of a data breach.

On Monday, Richmond, Va.-based Dominion Enterprises disclosed that a computer in its InterActive Financial Marketing Group division was accessed by a hacker between November 2007 and February 2008. As a result, the names, addresses, birth dates, and Social Security numbers of the company's more than 92,000 online credit seekers may have been exposed.

"We have identified what system was compromised and how," a company spokesperson said in an e-mail. "In order to best protect our security systems, I cannot share more details with you about the intrusion."

And on Tuesday, The Irish Times reported that the personal details of 17,000 members of the Institute of Chartered Accountants in Ireland were inadvertently published online as a result of a Web site redesign.

The good news for those affected is that the Government Accountability Office last year found that data breaches seldom lead to identity theft. Out of the 24 largest publicly reported breaches between January 2000 and June 2005, the GAO found evidence of fraud in three of the incidents and evidence of unauthorized account creation in one of the incidents.

What's remarkable about the Princeton Review breach is that one of the testing company's competitors told The New York Times about the hole, under the condition that it not be named.

"It's interesting that this competitor chose to go to a major media outlet about this rather than drop a quiet note to the Princeton Review," said Graham Cluley, senior technology consultant at Sophos, a message security firm. "Clearly they were intending to get some commercial advantage out of this. I think there's a message here for other companies: It's not just hackers that may find a security hole; it's competitors, too."

Phil Neray, VP marketing at Guardium, a database security firm, remains skeptical that other companies are likely to engage in the counter-marketing of rivals. He said it would be hard for him to imagine that, for example,Dell ( Dell) might point out a security hole in HP (NYSE: HPQ)'s Web site. "It sounds like [the testing industry] is a very competitive industry and that's why this happened there," he said.

Cluley said that companies need to understand that if they have sensitive information, they need to take steps to protect it. He added that companies should really only collect information they need and that they should delete data after it is no longer needed.

According to Neray, the problem lies in management. "Boards of directors and management teams have not made [data protection] a priority in many, many companies," he said. "The reason why this has to come from the top is that in many cases you're asking business units to change bad business practices. And you need budgets [to invest in database protection]."


main page ATTRITION feedback