Quotable... |
"Success is more a function of consistent common sense than it is of genius."
-- An Wang
|
|
Last month we started our annual review of last year's Case in Point by looking at the categories as a whole. This month we focus on the Information Technology (IT) category, which certainly brings substantial risk to all institutions.
When we break down the stories in this category, the top 3 issues in order of frequency are:
- Data Breach/Hack
- Accidental Exposure of Data
- Lost or Stolen Device
The overall numbers and types of events are fairly similar to the last few years. We dove deeper into each category and evaluated the circumstances of events to come up with some basic advice for avoiding these particular risks.
Data Breach/Hack - You may be tempted to think this is a central/security IT topic and not one that you can control. While there are some things that IT professionals handle behind the scenes, if you are connected to the institution's system, you are a potential target for those wanting to do harm. As the old adage goes, a chain is only as strong as its weakest link. Your role is to avoid being that weak link, and you can do this by practicing safe computing. AU's Information Security Group has put together a very helpful resource at this link: http://www.auburn.edu/oit/security/. We encourage you to read through these suggestions for ways you can protect yourself and our institution from IT related risks.
Accidental Exposure of Data – The second most frequent problem noted during 2018 is one you can definitely impact. By far, the most common incident was carelessly emailing protected data to those outside the institution (who had no need or right to the data). These cases weren't malicious or intentional, simply careless mistakes where the wrong information was sent to the wrong people. If you handle confidential data, you have a responsibility to go the extra mile in protecting this data.
Lost or Stolen Devices – Laptops, jump drives, and external hard drives with confidential data were lost at institutions coast to coast during 2018. This is another risk that you can control. The use of encryption is certainly the most important way to mitigate the risk, but common-sense security of devices like these is also important. You should ask yourself if confidential data needs to be on the devices that leave your workspace. Often there is no real need to raise the risk level by transporting data. Think about what data is on what device and make wise decisions.
IT risks require all faculty, administrators, staff, students, and departments to be diligent and vigilant in protecting data and systems. While IT related risks are probably near the top in importance, there are multiple areas we must stay aware of in higher education. We invite you to review the events that occurred at institutions in the past month. As always, we welcome your feedback.
M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy
Follow Case in Point on twitter @AUOACP
Information Security & Technology Events
Feb 21: Amherst College experienced a catastrophic technical mishap last week that left the campus without access to online services -- for five days. As IT staff scrambled to fix the problem, faculty and students suddenly found themselves without access to Wi-Fi, email, Moodle, accounting systems, card-scanning systems or any content hosted on the Amherst.edu website. That a scenario totally inconceivable on most modern campuses occurred at the wealthy private, liberal arts college in Amherst, Mass., was doubly surprising. (link)
Feb 14: Before this week, Stanford students could view the Common Applications and high school transcripts of other students if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA). Accessible documents contained sensitive personal information including, for some students, Social Security numbers. Other obtainable data included students' ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible. Students' documents were not searchable by name, but were instead made accessible by changing a numeric ID in a URL. (link)
Feb 05: Human error caused a massive leak of personal information of all active students in the Cal Poly Pomona College of Science. On Jan. 29, the campus community was notified via email of the leak. The incident occurred Jan. 28 when a university employee within the Computer Science Department intended to send an email containing advising information for 940 computer science students. Inadvertently, the employee also attached an Excel spreadsheet containing personal information of all 4,557 active students in the College of Science. (link)
Feb 04: More than 200 current and former students of Pellissippi State Community College could be in danger of identity theft because an unauthorized user had access to their personal information, the school revealed Monday. According to the college, an investigation showed that of 1,800 emails in the account that was accessed by an unauthorized user, 222 contained information such as first name, last name, Pellissippi State username, student identification number, date of birth, driver's license number and/or partial or full Social Security number. (link)
Fraud & Ethics Related Events
Feb 26: UMKC pharmacy professor Ashim Mitra stole a student's research and sold it secretly to a pharmaceutical company, defrauding the university of millions of dollars, the University of Missouri alleges in a lawsuit filed Tuesday. Mitra, the suit alleges, already has improperly reaped $1.5 million from the sale and has the potential of earning $10 million more in royalties over the next five years from what the university says could be a billion-dollar drug. (link)
Feb 25: Louisiana State University police say three men stole a John Deere utility vehicle from the football locker room and took it for an early-morning drunken joyride. When stopped, the men refused to tell police where they got the vehicle, but it had an LSU property tag and markings confirming it belonged to football equipment staff. The Gator XUV is valued at more than $10,000. (link)
Feb 25: A former Virginia Tech professor studying artificial sweeteners was found guilty last week of conspiring to commit federal grant fraud, making false statements and obstruction by falsification. According to the chief judge of the Western District of Virginia, Michael F. Urbanski, Yiheng Percival Zhang, 57, of Blacksburg, Va., is guilty of one charge of conspiracy to defraud the U.S., three counts of making false statement and one count of obstruction by falsification. "This verdict shows our commitment to hold individuals accountable who seek to fraudulently obtain federal funds. Mr. Zhang used his position of prominence to unlawfully seek money from federal grant programs and will now pay for it," FAUSA Bubar said today. (link)
Feb 12: A former Rhodes College student pleaded guilty Tuesday to hacking into the college's computer system to change his grades and keep his scholarship. Michael Geddati, 20, was a freshman pre-med major when between December 2017 and May 2018, he accessed various systems without authorization to raise his grades. Geddati's actions were detected after a faculty member noticed that the grade in the computer system was higher than the one Geddati had earned. The investigation showed that on dozens of occasions, Geddati logged in as an instructor. He frequently changed his grades and was able to download an exam ahead of when it was given. (link)
Feb 07: Calgary police are investigating after $46,000 worth of products were taken through fraudulent orders by people pretending to represent the University of Calgary. CPS first became aware of the scam on Jan. 19, after a local business received an email with a fake purchase order that appeared to be from the school, ordering $13,000 worth of power tools. The tools were delivered to a warehouse the next day and a receptionist signed for the tools. (link)
Feb 06: Former University of New Mexico athletic director Paul Krebs, who left in 2017 amid questions over spending, was charged Wednesday with fraud, money laundering and other felonies, state prosecutors said. The attorney general's office said in a criminal complaint that Krebs used his position "to pursue his private interest by planning and participating in a trip to Scotland that was paid for by the University of New Mexico using public money." (link)
Feb 01: A former University of Missouri, Columbia, tutor violated NCAA ethical conduct, academic misconduct and academic extra benefits rules when she completed academic work for 12 student-athletes, according to a Division I Committee on Infractions panel. Although the tutor said she felt pressure to ensure student-athletes passed courses, according to the committee's report, the investigation did not support that her colleagues directed her to complete the student-athletes' work. (link)
Feb 01: A former UC Riverside employee who admitted embezzling money from the university to help his financially struggling father is awaiting sentencing. Lauren Michael Flores, 27, a Loma Linda resident, pleaded no contest on Nov. 28 to misdemeanor charges of grand theft from an employer and insurance fraud. The UCR police investigation began Dec. 1, 2017, after Professor Aaron Seitz, director of the UCR Brain Game Center, noticed that an $803.92 payment on an auto loan in Flores' name had been made out of the Office of Research and Economic Development's bank account, according to a declaration written to obtain an arrest warrant. (link)
Compliance/Regulatory & Legal Events
Feb 27 A former Rutgers medical school professor and director at the Rutgers Cancer Institute of New Jersey has been accused of recording at least 26 women and three other people in various states of undress in a bathroom and breaking into his colleague’s offices to commit identity theft, among other charges in a sweeping 160-count indictment of alleged illegal activity over a two year span. Dr. James Goydos, 58, a then-professor of surgery Rutgers Robert Wood Johnson Medical School, was initially arrested in March 2018 and charged with having an unregistered and unlicensed assault rifle after police searched his East Brunswick home. (link)
Feb 25: A San Francisco State University assistant track coach was arrested last week for sexually assaulting four girls while he worked as a high school track coach in the South Bay, authorities said. Chioke Robinson, 43, was arrested Thursday and charged the next day with 15 counts of oral copulation, sexual penetration, and lewd and lascivious acts with minors, according to the Santa Clara County district attorney's office. San Francisco State officials confirmed Monday that Robinson was arrested on campus and has been placed on "investigatory leave." Robinson has been employed at the university since 2016. (link)
Feb 21: The stolen women's underwear was kept, meticulously organized, in storage containers labeled with the names of current and former University of Kansas volleyball players, according to prosecutors. The storage containers allegedly belonged to Skyler Nicholas Yee, 23, a former volunteer assistant volleyball coach accused of stealing the items in a series of burglaries. Yee served as a volunteer assistant coach for the KU volleyball team from 2016 to 2018. He previously had been a manager for the team. (link)
Feb 21: Rider University has agreed to revamp camping dining operations and offer more options for students with celiac diesease after the feds accused the school of violating the Americans with Disabilities Act. The feds investigated when a student with celiac disease complained the university wasn't sensitive to food allergies. And it determined the university "failed to provide reasonable modifications to its policies, practices, and procedures for students with food allergy-related disabilities and failed to adequately train its staff on appropriate policies for accommodating individuals with food allergies." (link)
Feb 20: Two Michigan State University athletic trainers gave false statements to police about their knowledge of sexual abuse by Larry Nassar, the state's licensing agency said. The Michigan Department of Licensing and Regulatory Affairs filed administrative complaints against Destiny Teachnor-Hauk and Lianna Hadden, according to a news release. Both Teachnor-Hauk and Hadden still work for the university. (link)
Feb 19: UC Berkeley has suspended a prominent professor in the department of East Asian languages and cultures after finding in 2018 that he sexually harassed a student, told her his sexual preferences, described sex fantasies and created a hostile work environment for her, The Chronicle has learned. Alan Tansman, a tenured professor who is well known in his field and has written or edited books on Japanese literature and culture, agreed to disciplinary measures on Nov. 20 . (link)
Feb 17: A Newman University volleyball coach who filed internal sex discrimination and harassment complaints is now suing the school, saying she was treated poorly by her supervisor and paid less because she's a woman. Destiny Clark is the fifth ex-employee of Wichita's private, Catholic college to file suit against it in recent months. Three of the lawsuits, including Clark's, mention her internal Title IX complaints and claim the school pushed back during their investigations. All five of the ex-employees suing allege unfair termination or treatment and ask for money damages. (link)
Feb 14: A federal court ruled Tuesday to dismiss a former Iowa State student's case against the university that alleged her Title IX rights were violated after she was sexually assaulted by another student in spring 2014. Melissa Maher, who in 2016 took initial action against the university for subjecting her to an unreasonable amount of time to investigate the incident, said Iowa State was "deliberately indifferent" about her case due to her sex. Decided Tuesday, however, was Iowa State's motion for a summary judgement which concluded Maher did not demonstrate a "genuine issue of material fact" as to whether Iowa State engaged in the aforementioned Title IX discrimination. (link)
Feb 14: The University of Texas can dish out degrees, but it can't take them back -- at least not without a court order. So says a judge in the state who ruled recently that the prestigious institution overstepped when it tried to revoke the PhD of a chemist amid concerns over the integrity of her research. The scientist, Suvi Orr, who now works at the drugmaker Pfizer, has denied wrongdoing despite a 2012 retraction of a paper, based in part on her dissertation, that proved unreproducible. The judge, Karin Crump, of the District Court of Travis County, ruled that UT lacks either "express ... [or] implied authority" to take back degrees without bringing the matter to district court. The university says it is reviewing its options. (link)
Feb 13: A $215 million class action settlement agreement between the University of Southern California and several law firms representing dozens of women who allege they were sexually abused by Dr. George Tyndall was filed in federal court Tuesday. The money will be used to compensate women saying they were victimized by Tyndall, a gynecologist in the institution's student health center for almost three decades. (link)
Feb 12: A federal judge has ordered Eastern Michigan University to reinstate its women's tennis and softball programs by the fall of 2019. U.S. District Judge Caram Steeh issued the ruling Tuesday, Feb. 12, nearly 11 months after the sports were eliminated by the university. A federal lawsuit was filed in June 2018 by former women's tennis team member Marie Mayerova and softball player Ariana Chretien, who claimed EMU was not providing effective accommodation to female student-athletes. (link)
Feb 03: A former Chicago State University official who sued the University of Illinois at Chicago for publicly discussing her work at UIC when she was a student -- after an adversary accused her of plagiarism -- has settled with UIC for nearly $700,000. Former CSU Provost Angela Henderson, who earned a Ph.D. in nursing at UIC in August 2013, filed the lawsuit in July 2014 after being cleared of the plagiarism allegations by an independent hearing officer retained by UIC. Henderson's lawsuit accused the university of violating the federal Family Educational Rights and Privacy Act (FERPA) by publicly discussing her Ph.D. dissertation. (link)
Feb 02: The University of Virginia chapter of Sigma Lambda Upsilon filed a federal complaint in September challenging hazing allegations made by the university. The lawsuit comes at a time when hazing is in the national spotlight and when fraternities at Louisiana State University and the University of Pennsylvania have been shut down. The Sigma Lambda Upsilon case is raising questions about what constitutes hazing. The sorority claimed in its lawsuit that U-Va. violated its "freedom to associate on campus" when the school determined the sorority's requirement that members study 25 hours a week violated the school's hazing policy. U-Va. had suspended the sorority last spring. (link)
Feb 01: The U.S. Department of Education has found that Michigan State University officials for years violated federal law by failing to comply with requirements that aim to ensure a safe campus, systemically underreported crime statistics, and -- in the handling of sexual assault allegations against former athletics physician Larry Nassar -- demonstrated "a lack of institutional control." The violations listed in the 46-page report, a copy of which was obtained by Outside the Lines, span the campus and include athletics, Greek life and residence halls, among other areas. (link)
Feb 01: Opera star David Daniels and his husband, conductor Scott Walters, were arrested Tuesday night in Ann Arbor, Michigan on charges of sexual assault. David Daniels is an internationally famous countertenor, whose sweet, high voice has been celebrated on the world's greatest opera and classical music stages. He is also a professor at the University of Michigan in Ann Arbor, where he has taught since 2015. Last year, Daniels was accused of sexual assault in two separate incidents that allegedly took place about seven years apart. (link)
Campus Life & Safety Events
Feb 27: While recruiting students for a grass-roots conservative organization at the University of California Berkeley last week, an activist was confronted by two men. One of them began pushing him repeatedly and then punched him in the face. Hayden Williams, who is not a student at UC Berkeley, works for the Leadership Institue, which helps conservative students and clubs on campuses. Williams, 26, has injuries to his face, police say, and the incident was captured on multiple witness’ phones. (link)
Feb 27: A Knoxville man has been arrested after allegedly panhandling for money while armed with a knife inside Hodges Library on the University of Tennessee campus. Richard Thomas Whitaker, 29, is charged with carrying a weapon on school property, a Class E felony, and criminal trespass after multiple witnesses reported a man "approaching them and asking for money with a knife in his hand," Monday morning, according to arrest warrants. (link)
Feb 26: One man is in jail after domestic violence was reported Monday night at a University of Southern Indiana apartment. Demond Glover, 20, was arrested on preliminary charges of strangulation, intimidation, domestic battery and criminal mischief. USI Public Safety alerted students Monday night that law enforcement officials were called to the on-campus housing because of a "dating violence" incident where someone was injured. (link)
Feb 25: An international graduate student died following an incident at the University of Rhode Island pool on Sunday. URI identified the student as Suhail Habeeb, a graduate student in physics. According to URI, staff from campus recreation, the URI police department and the college's emergency medical services responded to the pool at 4:30 p.m. Sunday. A spokesman for the Rhode Island Department of Health said the autopsy results are pending. (link)
Feb 24: A man has been arrested for allegedly committing a sexual assault at the University of Vermont. Police say the assault happened Saturday on the Burlington campus. The suspect has been identified as 37-year-old Tyson Cyphers, who is currently on the Vermont sex offender registry. Following the alleged assault, police say Cyphers stole multiple items from the victim before fleeing the scene. (link)
Feb 22: Hundreds of people protested at the University of Mississippi on Saturday concerning a Confederate statue located on campus. Two pro-Confederate groups, Confederate 901 and The Hiwaymen met on the Square in Oxford and marched to the Confederate monument near The Grove. Several basketball players at Ole Miss took a knee during the national anthem in their home game against Georgia State in solidarity with counter protesters on campus. (link)
Feb 20: A University of California, Santa Cruz student was indicted on federal charges Tuesday, accused of developing an app to sell meth, cocaine and other illegal drugs. Collin Howard, 18, was indicted by a federal grand jury in San Jose, California, on drug distribution and possession charges for allegedly creating the Banana Plug app, authorities said. "Posters advertising the application had been hung up around the UC Santa Cruz campus," the statement said. "Upon discovering the posters and the application, a UC Santa Cruz police officer, in coordination with HSI, used the application to request a purchase of marijuana and cocaine and then communicated with Howard via Snapchat to set up the purchase." (link)
Feb 18: A University of Missouri student has left campus voluntarily after being diagnosed with active tuberculosis, the MU News Bureau said in a news release Monday. MU officials are working with local health authorities as they identify other people who need to be tested for the illness, the release said. It wasn't clear when the student was diagnosed or when he or she left campus. Doctor Christelle Ilboudo, a specialist in pediatric infectious disease, said TB most commonly spreads when a person infected with active TB coughs or speaks. (link)
Feb 14: Nine members of a fraternity under suspension at Louisiana State University were arrested Thursday on charges related to hazing pledges who were urinated on, forced to lay on broken glass, and ordered to stand for hours in painful positions, according to authorities. One pledge told police he was forced to stay in an ice machine for more than 30 minutes that was half filled with ice and water. He was eventually taken out to lie on a basketball court covered in broken glass, according to an affidavit in support of the arrests. (link)
Feb 12: A University of Montana student pushing free market ideals and limited government alleged she experienced politically motivated harassment encouraged by an anthropology professor. Taylor Powell, a student in psychology and political science, said students told her to "f--- off" and "f--- your organization" as she worked at a table for a conservative group, Turning Point, U.S.A., in the University Center. She said at least four students made rude and vulgar remarks to her. Last week, Powell made a formal complaint to the Equal Opportunity and Affirmative Action office. (link)
Feb 11: Police are searching for the suspect who abducted a female student and stole a vehicle at gunpoint near the Ohio State University Mansfield campus. According to the OSU's Department of Public Safety, a female student was standing in the campus parking lot just before noon on Monday when she was approached by Ty'rell Pounds. Pounds reportedly displayed a handgun and forced the student into his vehicle before fleeing the area. (link)
Feb 06: A federal court on Wednesday ruled that the University of Iowa can't strip a Christian group of its status as a registered student organization based on its requirement that leaders follow its statement of faith, which includes not having sex outside of a marriage between a man and a woman. Judge Stephanie M. Rose of the U.S. District Court for the Southern District of Iowa granted a permanent injunction that will keep the University of Iowa from rejecting the status of Business Leaders in Christ based on the university's human rights policy, which the university had cited in its revocation of the Christian group's status. (link)
Feb 05: A Michigan State University staff member has been charged with a misdemeanor moving violation in the death of a student riding a moped on campus in mid-January. Adam Young, 22, of Laingsburg, was driving a university salt truck near the intersection of Shaw Lane and Chestnut Road just before 8 a.m. Jan. 15 when he collided with 21-year-old Tiana Seville. Young is a staff member at MSU and works with Infrastructure Planning and Facilities as a landscape services equipment operator. Seville was a 2016 graduate of Grand Ledge High School, and was on the gymnastics team at Grand Ledge for three years. (link)
Feb 04: A new policy requires University of Michigan faculty, staff, student employees, volunteers and visiting scholars to disclose if they've been charged with or convicted of a felony. The policy requires faculty and staff to inform the university within one week of a charge or conviction that occurs on or after Feb. 1. Currently, it does not apply to employees covered by a collective bargaining agreement. (link)
Feb 04: The death of a University of Vermont student comes on the heels of another college student's death in Iowa. Connor Gage, a freshman at UVM, died "possibly due to exposure to sub-zero temperatures" on Saturday. Another student, 18-year-old Iowa student Gerald Belz, died Jan. 30 after exposure to freezing temperatures. Cold temperatures struck the Midwest late January. The Northeast, including Vermont, experienced some of the impact, though the brunt hit states like Illinois and Wisconsin. (link)
Feb 01: Augsburg University in Minnesota suspended a professor for using the N-word during a class discussion about a James Baldwin book in which the word appeared -- and for sharing essays on the history of the word with students who complained to him about it. The case concerns academic freedom watchdogs on campus and off. The professor is just one of several to recently be sanctioned -- unofficially by students or officially by administrations -- for using the N-word in class. So one might also ask if there is ever reason to use a word so loaded. (link)
Feb 01: The University of Idaho banned a tenured journalism professor from its Moscow campus and heightened security patrols Wednesday, implying she was a threat. "Denise Bennett has been barred from Moscow Campus," the university said Wednesday morning in a text message alert sent to students and employees. "Recent admittance to police of meth use and access to firearms. If seen on campus, call 911." Wednesday's text alert came almost a week after the university placed Bennett on paid administrative leave for sending a profanity-laced email in which she lambasted school officials for perceived problems in the School of Journalism and Mass Media, including misuse of grant funding. (link)
Feb 01: A University of Iowa student was found dead of possible exposure near Halsey Hall early Wednesday morning, university officials said. UI Police discovered Gerald Belz unresponsive at about 2:48 a.m. Wednesday. The student, a pre-medicine major from Cedar Rapids in his second semester, was transported to the hospital, where he later died. The air temperature was 22 degrees below zero at 2:52 a.m. Wednesday, with a wind chill of 51 below zero. (link)
Other
Feb 01: In August 2015, an electrical engineering student in Chicago sent an email to a Chinese national titled "Midterm test questions." More than two years later, the email would turn up in an FBI probe in the Southern District of Ohio involving a suspected Chinese intelligence officer who authorities believed was trying to acquire technical information from a defense contractor. Investigators took note. They identified the email's writer as Ji Chaoqun, a Chinese student who would go on to enlist in the US Army Reserve. His email, they say, had nothing to do with exams. (link)
If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site.
If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.
Back to top
|