
Upset about data breach - enchantress
At the college I teach at we our network user name and password that we have to use to log-on to publicly accessible classroom computers is the same username and password that provides access to all of our personal data (address, birthdate, marital status, dependant names and BD) as well as our T4 which has our Social INsurance # on it.  I just received an email, along with several other colleagues, that individuals had done something to several classroom computers that recorded our log-in information for a period of 2 months before it was discovered.  This seems unbelievable to me. They won&#x27;t answer questions about it and are saying &quot;it could happen anywhere&quot;.  Am I right to feel like our security is crap for this to happen?  The culprits were students.
I have also asked for them to require a different password for access to personal information than the one used to simply logon to a computer and am getting no traction with this request.  I am angry.  Any thoughts out there?
======
greenyoda
It's pretty standard corporate practice to have a "single sign-on" that allows
users to use the same user ID and password to access all resources.

It's also difficult to secure machines in public places - anyone can sneak in
to a classroom when it's empty, and it only takes a short period of time to
install a key-logger or other malware if you have physical access to a
machine.

It's certainly possible to have two authentication systems, a secure one and
an insecure one, like you propose. However, it's more work for the IT
department to maintain two systems, and every user would need to know which
user ID and password to use in which situation. The IT department may not have
the resources to do this, or they may just be lazy.

Another approach to make the system more secure would be to not allow access
to sensitive personal data through online systems at all. I work at a company
with hundreds of employees where no personal data is accessible to employees
online. For example, tax forms are mailed to employees' homes, and you have to
go to the Human Resources Department to get any personal information updated.
It's cumbersome, but secure.

Since you probably have no power to change the way the college runs its
systems, the only thing you can do to protect yourself is to change your
password frequently.

~~~
enchantress
Thank you for your thoughts. That is very helpful.

