University of Iowa philosophy students' data exposed
Technorati Tag: Security Breach
Date Reported:
10/8/07
Organization:
University of Iowa
Contractor/Consultant/Branch:
None
Victims:
Certain current and former University of Iowa students
Number Affected:
184
Types of Data:
Names, class records, grades, and Social Security numbers*
*Social Security number of roughly 100 students
Breach Description:
A laptop was stolen from the home of a former University of Iowa philosophy teaching assistant who now resides in Arizona. The laptop contained confidential information about students that attended "Philosophy and Human Nature," "Philosophy and the Just Society," and "Principles of Reasoning" taught by former UI teaching assistant Tuomas Manninen from 2002 to 2006.
Reference URL:
Official FAQ:
Philosophy Security Incident (no SSN)
Philosophy Security Incident (SSN)
Iowa City Press-Citizen Story
Report Credit:
Iowa City Press-Citizen
Response:
From the online article cited above:
"The University of Iowa is informing 184 former and current students that their grade information was contained on a laptop computer stolen from a former teaching assistant now living in Arizona."
"The theft of the computer, which occurred last month in a break-in of the instructor's home, contained class records such as attendance, test scores, and grades of students who took his philosophy courses at the UI between 2002 and 2006. Social security numbers (SSNs) were also present in 100 of the records"
[Comfyllama] Why Social Security numbers are required to track student class progress is anyone's guess.
"UI Information Technology Security Officer Jane Drews analyzed backup copies of the files and found them an unlikely source for committing identity theft. "The instructor buried the files in his directory structure and obfuscated the social security numbers," Drews said. "While they were not encrypted, popular SSN scanning tools were unable to detect SSNs in any of the five files.""
[Comfyllama] Ahh, the old "security through obscurity" myth. I got news… It doesn't work.
"We believe we have a responsibility to inform anyone whose personal information has been exposed by a computer theft, if there is even a slight risk that the information could be mishandled."
[Comfyllama] Iowa is one of those states that does not have a breach notification law on the books.
"Students affected were in sections of "Philosophy and Human Nature," "Philosophy and the Just Society," and "Principles of Reasoning" taught by former UI teaching assistant Tuomas Manninen."
Commentary:
Unfortunately, Iowa is one of the states in the U.S. that does not have a breach notification law on the books yet. Three things are wrong, wrong, wrong about this breach.
Past Breaches:
Unknown
Date Reported:10/8/07
Organization:
University of Iowa
Contractor/Consultant/Branch:
None
Victims:
Certain current and former University of Iowa students
Number Affected:
184
Types of Data:
Names, class records, grades, and Social Security numbers*
*Social Security number of roughly 100 students
Breach Description:
A laptop was stolen from the home of a former University of Iowa philosophy teaching assistant who now resides in Arizona. The laptop contained confidential information about students that attended "Philosophy and Human Nature," "Philosophy and the Just Society," and "Principles of Reasoning" taught by former UI teaching assistant Tuomas Manninen from 2002 to 2006.
Reference URL:
Official FAQ:
Philosophy Security Incident (no SSN)
Philosophy Security Incident (SSN)
Iowa City Press-Citizen Story
Report Credit:
Iowa City Press-Citizen
Response:
From the online article cited above:
"The University of Iowa is informing 184 former and current students that their grade information was contained on a laptop computer stolen from a former teaching assistant now living in Arizona."
"The theft of the computer, which occurred last month in a break-in of the instructor's home, contained class records such as attendance, test scores, and grades of students who took his philosophy courses at the UI between 2002 and 2006. Social security numbers (SSNs) were also present in 100 of the records"
[Comfyllama] Why Social Security numbers are required to track student class progress is anyone's guess.
"UI Information Technology Security Officer Jane Drews analyzed backup copies of the files and found them an unlikely source for committing identity theft. "The instructor buried the files in his directory structure and obfuscated the social security numbers," Drews said. "While they were not encrypted, popular SSN scanning tools were unable to detect SSNs in any of the five files.""
[Comfyllama] Ahh, the old "security through obscurity" myth. I got news… It doesn't work.
"We believe we have a responsibility to inform anyone whose personal information has been exposed by a computer theft, if there is even a slight risk that the information could be mishandled."
[Comfyllama] Iowa is one of those states that does not have a breach notification law on the books.
"Students affected were in sections of "Philosophy and Human Nature," "Philosophy and the Just Society," and "Principles of Reasoning" taught by former UI teaching assistant Tuomas Manninen."
Commentary:
Unfortunately, Iowa is one of the states in the U.S. that does not have a breach notification law on the books yet. Three things are wrong, wrong, wrong about this breach.
- Social Security numbers should NEVER be used for identification in class records. I don't know what purpose storing Social Security numbers by a teaching assistant serves.
- Confidential data-at-rest should ALWAYS be encrypted, especially on laptops and other mobile devices. Data stored on these devices is all that much more at risk of loss or theft.
- When a individual leaves an organization, the data MUST stay! This is a no-brainer in my opinion.
Past Breaches:
Unknown
Posts Atom 1.0
Comments