Well, at least the uni didn't try to minimize it:
"On or around November 28, 2023, Butler University’s third-party vendor, Athletic Trainer System ("ATS"), notified Butler University that an unknown actor gained access to ATS's computer systems in August 2020."
As part of steps taken in response, Butler writes: "Butler University is also reviewing the business necessity of sharing any sensitive data with third party vendors."
(SSN had been involved)
Butler University's notification letter sent to 1,871 people can be found linked from https://apps.web.maine.gov/online/aeviewer/ME/40/aebbc4f8-fbd7-4a2d-991b-f1ec97032e39.shtml
#EduSec #Vendor #infosec #hack #databreach
Aida Akl
in reply to Dissent Doe :cupofcoffee: • • •Dissent Doe :cupofcoffee:
in reply to Aida Akl • • •What alternative do you propose to sharing data with vendors? Entities are often too big to handle all functions well or efficiently themselves.
Brett Callow
in reply to Dissent Doe :cupofcoffee: • • •Aida Akl
in reply to Brett Callow • • •Brian Honan
in reply to Aida Akl • • •@AAKL
Under GDPR companies are obligated to ensure any entities they send personal data to must have appropriate security and privacy controls in place. If not the company can be penalised for its third party’s breach
Also, companies have to be transparent about what data they share and for what reasons. This is so I as a data subject can opt out of this or not deal with the company at all