Last year, I blogged about a server at the University of North Carolina School of Medicine at Chapel Hill that was discovered in late July of 2009 to have been hacked. The security breach was said to have placed the social security numbers of 163,000 women participating in a UNC medical study at risk.

The women were part of a National Institutes of Health funded mammography research project called the Carolina Mammography Registry. The breached server was said at the time to contain the records of a total 231,000 women.

The server where research data was uploaded was not located behind a security firewall. The records of another 400,000 women in the mammography study that resided on another server, however, were behind the firewall and were not breached.

Later investigation showed that the server had actually been hacked starting in 2007, and that "only" the records of some 180,000 women apparently had been able to be accessed.

UNC-Chapel Hill notified those 180,000 women about the breach, which the university said cost it about $250,000 to complete.

According to this story in the Raleigh, North Carolina News Observer, UNC-Chapel Hill officials decided that the lead cancer researcher for the study, Professor Bonnie Yankaskas, was negligent for not ensuring that the server that had been breached was secure.

As a result, the university first tried in October 2009 to fire Professor Yankaskas, but after her successful appeal to a faculty hearing committee, the university decided instead in July of this year to demote her from full professor to associate professor with tenure and cut her pay from $178,000 to $93,000. However, the university said it wouldn't take any action against her if she agreed to leave the university by June of next year.

Professor Yankaskas is now appealing her demotion to the university's board of trustees, claiming she is being used as a scapegoat for the security issue.

According this Durham, North Carolina Herald-Sun story, her lawyer says that university IT staffers knew since 2006 that the server could be compromised, but no one bothered to tell Professor Yankaskas. 

Apparently, the breast cancer study has been going on for 15 years, and it looks like the changing IT security landscape was not taken into account by the professor or those who worked with or for her. Everyone seems to agree that the professor is not an IT or security expert.

The university does have information security policies that spell out the responsibilities of researchers and other IT users, but I can't tell when the policies were originally developed and promulgated. Reading them over does seem to support to some degree the university's case against her.

The question at UNC-Chapel Hill is what accountability should there be for IT security breaches, and how do they rank in the scheme of all university activities?

The university paper, The Daily Tar Heel, for instance, pointed out that while the university severely sanctioned Professor Yankaskas for neglect in her university oversight duties, there seemed to be a double standard when it comes to the university's football coach:

"If you are a football coach and you don't notice infractions by your subordinates, bringing the University into disrepute, you get the support of the chancellor and athletic director."

About 10 days ago, ComputerWorldreported that some 107,000 current and prospective students at the University of North Florida had their personal information, including in some cases their Social Security numbers, compromised by a computer hacker. In fact, the university's press release on the incident says that 56 schools have reported IT security breaches this year alone. In no case that I am aware of has anyone been fired at any of those schools because of these breaches.

So, is UNC-Chapel Hill making Professor Yankaskas a scapegoat, as she claims, or does she deserve - along with others where security breaches have taken place - to be fired or demoted?

Exactly what should the punishment be - and who should receive it - for an IT security breach, at a university, government department and or commercial workplace?

My pet theory - without proof - is Professor Yankaskas is serving the role as the university's Adm. John Byng - being "hung" to encourage the others at the university to take IT security more seriously.

[Correction: I want to thank Robert Firth for pointing out that my typo involving Adm. Byng was wrong, and that he was shot - not hung - in 1757 on the deck of HMS Monarch.]

The Conversation (0)

Why Functional Programming Should Be the Future of Software Development

It’s hard to learn, but your code will produce fewer nasty surprises

11 min read
A plate of spaghetti made from code
Shira Inbar

You’d expectthe longest and most costly phase in the lifecycle of a software product to be the initial development of the system, when all those great features are first imagined and then created. In fact, the hardest part comes later, during the maintenance phase. That’s when programmers pay the price for the shortcuts they took during development.

So why did they take shortcuts? Maybe they didn’t realize that they were cutting any corners. Only when their code was deployed and exercised by a lot of users did its hidden flaws come to light. And maybe the developers were rushed. Time-to-market pressures would almost guarantee that their software will contain more bugs than it would otherwise.

Keep Reading ↓Show less