I see that some universities are still struggling with Security 101. The breach last week of UCLA's computer systems by hackers is a case in point. The discovery last week that hackers had free access to a data base of over 800,000 records of current and past students for over a year lets us know a few things. First of all, UCLA has a central database of everyone's records. Second, it is not encrypted. And finally, there are no safeguards to prevent unauthorized access.
Of course universities are not the only ones to neglect security. Reddit, the popular social bookmarking site recently acquired by Conde Nast had some "storage media" stolen from their offices last week that contained everyone's username and password. Hello!!!??? The uber 2.0'ers at Reddit don't even know how to create one way hashes for passwords? They are in clear text? Better get on that guys. Ask a Unix geek how to do the hashing.
Immediate advice to anyone responsible for user,customer, or employee data. First, find those data stores! Don't be surprised when the hacker discovers it before you do. Second, encrypt them. Make it easy. Use blowfish, use a simple key. Anything to avoid the embarrassement of accidental loss. If the data includes bank info or credit card details use good encryption. Third, control access to that database. In particular, figure out a way to avoid granting universal access to the webserver or application server. All access should be tied back to a user, including the programmers and DBAs. And finally, monitor all access to the database and alert on unusual behavior like frequent requests, data dumps, etc.
This is serious stuff. Now that there are markets for identities that provide a clearing house for data thieves you will see more and more targeting of identity databases. Act now to avoid being the next organization to receive a failing grade in Security 101.