UBC takes action to counter Heartbleed bug as it warns some personal info may be at risk
The University of B. C. is warning students the Internet security bug Heartbleed may have put some personal information at risk and has set up a website alerting students to affected UBC services.
With its review of its computer networks close to complete, the university said it has determined none of its systems that involve credit card payments were affected by the security flaw. Several nonpayment systems were vulnerable, and all have been fixed except one that’s awaiting an update from an outside vendor.
Like the Canada Revenue Agency, UBC has been aggressive and public in dealing with the Internet security threat that hit as many 60 per cent of websites, including those of many B. C. companies and organizations.
“What we are trying to do is figure out the amount of systems affected and make sure they are appropriately addressed; fixing them as soon as possible and getting users to change their passwords,” said Larry Carson, associate director of information security management at UBC.
Carson said the university has talked to other institutions in the province that have been affected by Heartbeat.
Student accounts containing information about their marks, class registration, financial information and other data were not affected and the only service that has been taken offline is a virtual private network with Cisco software that lets people access UBC’s VPN on their mobile devices.
In an email to UBC network users, the university’s chief information office Oliver Grüter- Andrew wrote: “The Heartbleed bug has the potential to expose your private data, including usernames, passwords, credit card numbers, and emails.
“UBC is treating this bug very seriously and is in the process of verifying whether any UBC systems are impacted, and immediately fixing any of those identified. During this process, it may be necessary to suspend some services.”
Jay Black, chief information officer at Simon Fraser University, said SFU has been working on its systems since it found out about Heartbleed. He said a small number of public systems were affected but many of the university’s “most important and critical systems were not vulnerable to the threat.”
Black said he expects SFU will be sending out a notice today to its computer users, recommending that passwords be changed.
The University of Victoria posted a notice on its website listing sites and services that it has so far identified as not being vulnerable to Heartbleed.
B. C. legislation doesn’t require private or public sector organizations to alert people if their privacy has been breached. In Ottawa, amendments to federal legislation that would make notification mandatory were introduced this week.
Dominic Vogel, a senior security consultant with Grant Thornton in Vancouver, said: “A lot of people are going to be jumping the gun and changing their passwords, but you should wait for notification that the issue has been fixed and now you can change your password.”
Vogel also warned people can expect to see an increase in phishing emails from attackers who will be taking advantage of the concern over Heartbleed to try to trick people into logging onto bogus or fraudulent websites.
“I have already seen one or two,” he said. “I think within a week you’ll see a huge uptick in that.”
If you receive an email purporting to be from a business or website that you have an account with, don’t click on the link inviting you to go to the site.