How Boston College recovered from a big data breach

Head of IT security says prompt response in wake of 100,000-record breach helped to regain customer confidence

CHICAGO – In 2005, Boston College recovered from a data breach by putting its customers’ needs first. On Monday, at The Security Standard conference held here, the college’s head of security explained how.

Walking the audience through the data breach that occurred at Boston College in 2005 when personal information of 100,000 alumni was potentially put at risk, David Escalante, director of computer policy and security, explained how the college recovered, and managed to regain its customers’ trust.

In March of 2005, Boston College sent letters to 100,000 alumni to inform them about a data breach and the potential for identity theft. A rogue server locked in the utility closet of a computer lab on campus had been hacked, and had been used to store alumni records.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

CHICAGO – In 2005, Boston College recovered from a data breach by putting its customers’ needs first. On Monday, at The Security Standard conference held here, the college’s head of security explained how.

Walking the audience through the data breach that occurred at Boston College in 2005 when personal information of 100,000 alumni was potentially put at risk, David Escalante, director of computer policy and security, explained how the college recovered, and managed to regain its customers’ trust.

In March of 2005, Boston College sent letters to 100,000 alumni to inform them about a data breach and the potential for identity theft. A rogue server locked in the utility closet of a computer lab on campus had been hacked, and had been used to store alumni records.

Once Escalante’s team discovered which computer was hacked and what information was at risk, it was time to take action. The college had an incident-response team in place that dealt with virus outbreaks and similar threats, but the CIO decided this breach was too big for the security team to handle, Escalante said. Instead, the CIO pulled together a larger team including legal and PR departments. “The CIO had the contacts to pull together this massive effort,” he said.

While the team was being assembled, Escalante’s group performed computer forensics, which was difficult because they had never seen this server before, he said. In addition, the response team was pressuring him to determine why the data was breached and set a forensics deadline at which point they would inform all 100,000 alumni whose records were on the server, unless forensics could prove that not all records were accessed.

“Boston College was founded by Jesuits, and the president of the university is a priest,” Escalante said. “That leads to a highly ethical culture, and it made processing a lot easier. We confessed to our guilt and asked people’s [forgiveness].”

Although Escalante read the log files and knew the database hadn’t been breached, the problem was a series of scratch files that students who called alumni asking for donations had created. Policy was that those file should have been deleted, but they hadn't been. For expediency, the college decided to send letters to all the alumni, instead of taking the time to figure out whose information may have been compromised.

Instead of e-mail notices, Boston College opted for signed letters sent through the mail. “Sending out 100,000 letters costs a lot in postage, but a letter is more personal,” Escalante said. “We wanted to send an apology signed by management . . . even though e-mail is faster. I think the letter worked.”

The college braced for a flood of calls coming from the letter’s recipients, and got even more than they had expected, he said. The response team dealt with the communications department to staff phone lines and provide scripts. The college’s licensed police department could provide police reports to those who requested them, he said. And the PR department prepared to respond to the press inquiries that the college knew would follow -- and did.