SOU data loss poses little risk to students
Technorati Tag: Security Breach
Date Reported:
9/26/07
Organization:
Southern Oregon University
Contractor/Consultant:
None
Victims:
SOU Students
Number Affected:
400
Types of Data:
Name, phone number, address, room number, gender, birth date, and student identification number.
Breach Description:
An maintenance worker lost a list containing personal information pertaining to some SOU students. The list was being used to prepare rooms in two SOU residence halls.
Reference URL:
The Mail Tribune Online Article
Report Credit:
Anita Burke, Mail Tribune
Response:
From the online resources referenced above:
"A misplaced list containing personal information on roughly 400 Southern Oregon University students has prompted the school to alert students and tighten internal controls on such information."
"Given the national attention on identity theft, we wanted to make sure people knew what happened and were not concerned," said Jonathan Eldridge, SOU's vice president for student affairs. "This way they can do whatever they need to do to get peace of mind."
"A maintenance worker lost a list that included names, phone numbers, addresses, room numbers, genders, birth dates and student identification numbers."
[Comfyllama] No Social Security numbers!
"The identification number was the only confidential detail on the list and it only has use in campus matters such as registering for classes and making payments, Eldridge said. Students must have a personal identification number, photo identification or the answers to security questions in addition to their student ID numbers to access or change school records. All the other information on the list is public information that would be included in any student directory"
[Comfyllama] A personal identification number (PIN), photo ID, answer to security question, AND a student ID number are required to change school records. Two-factor identification x 2! Us security guys like this. I wonder how hard it was to implement at the university and how hard it is to manage.
"SOU stopped using Social Security numbers for identification two years ago and went to randomly assigned numbers to reduce the risk of losing personal information in this type of situation, Eldridge said."
[Comfyllama] Amen!
Commentary:
For once it is nice to write without a double digit rise in my blood pressure. This is a breach, but hardly one that the victims need to worry about. Don't get me wrong, the victims need to KNOW about it, but not WORRY about it.
What SOU has done in terms of protecting identities should be commended. The employ strong authentication to change personal records and do not use Social Security numbers as identifiers. Other organizations can learn from these people.
I wonder if they encrypt any confidential data at rest, and if so what and how. Kudos to SOU IT and security staff.
Past Breaches:
Unknown
Date Reported:
9/26/07Organization:
Southern Oregon University
Contractor/Consultant:
None
Victims:
SOU Students
Number Affected:
400
Types of Data:
Name, phone number, address, room number, gender, birth date, and student identification number.
Breach Description:
An maintenance worker lost a list containing personal information pertaining to some SOU students. The list was being used to prepare rooms in two SOU residence halls.
Reference URL:
The Mail Tribune Online Article
Report Credit:
Anita Burke, Mail Tribune
Response:
From the online resources referenced above:
"A misplaced list containing personal information on roughly 400 Southern Oregon University students has prompted the school to alert students and tighten internal controls on such information."
"Given the national attention on identity theft, we wanted to make sure people knew what happened and were not concerned," said Jonathan Eldridge, SOU's vice president for student affairs. "This way they can do whatever they need to do to get peace of mind."
"A maintenance worker lost a list that included names, phone numbers, addresses, room numbers, genders, birth dates and student identification numbers."
[Comfyllama] No Social Security numbers!
"The identification number was the only confidential detail on the list and it only has use in campus matters such as registering for classes and making payments, Eldridge said. Students must have a personal identification number, photo identification or the answers to security questions in addition to their student ID numbers to access or change school records. All the other information on the list is public information that would be included in any student directory"
[Comfyllama] A personal identification number (PIN), photo ID, answer to security question, AND a student ID number are required to change school records. Two-factor identification x 2! Us security guys like this. I wonder how hard it was to implement at the university and how hard it is to manage.
"SOU stopped using Social Security numbers for identification two years ago and went to randomly assigned numbers to reduce the risk of losing personal information in this type of situation, Eldridge said."
[Comfyllama] Amen!
Commentary:
For once it is nice to write without a double digit rise in my blood pressure. This is a breach, but hardly one that the victims need to worry about. Don't get me wrong, the victims need to KNOW about it, but not WORRY about it.
What SOU has done in terms of protecting identities should be commended. The employ strong authentication to change personal records and do not use Social Security numbers as identifiers. Other organizations can learn from these people.
I wonder if they encrypt any confidential data at rest, and if so what and how. Kudos to SOU IT and security staff.
Past Breaches:
Unknown
Posted by Evan Francen at 9/27/2007 11:07 AM 
Categories: Southern Oregon University, Insecure Discard
Categories: Southern Oregon University, Insecure Discard
Posts Atom 1.0
Comments