Stolen laptops from Carnegie Mellon affects students
Technorati Tag: Security Breach
Date Reported:
10/8/07
Organization:
Carnegie Mellon University
Contractor/Consultant/Branch:
None
Victims:
Carnegie Mellon students who attended certain computer science classes between the summer of 2004 and spring of 2006.
Number Affected:
Unknown
Types of Data:
"significant personal identifying data"
Breach Description:
Two laptops were stolen from a Carnegie Mellon University computer science professor's office in early September, 2007. On the laptops were unencrypted files containing sensitive information about students.
Reference URL:
Story at The Tartan
Report Credit:
Ellen Tworkoski, The Tartan
Response:
From the online article cited above:
"According to University Police reports filed on Sept. 2, the laptops were stolen from the office of a computer science professor in Wean Hall. The door is believed to have been locked and there were no signs of forced entry, according to case officer Lieutenant John Race of the Carnegie Mellon University Police."
"At the time of the theft, there were five computers present in the room, but only two were stolen, both of which were believed to have “contained significant personal identifying data,”"
"Race, as well as members of the Information Security Office (ISO), believe that the laptops were stolen because of their commercial value, not for the information contained in their hard drives. Cases of identity theft are extremely rare on the Carnegie Mellon campus, Race said."
[Comfyllama] There is arguably MORE commercial value in the information than there is in the hardware. I wouldn't be so sure that these laptops were only stolen so that they could be sold. If they were, then what about the purchaser? Should the purchaser be trusted too?
"Laptops which are stolen are typically sold on the streets to some “private citizen who thinks they got a good deal,” he said"
[Comfyllama] See my previous point above.
"Students whose social security numbers were stored on the stolen computers were informed of the theft on the weekend of Sept. 29. The e-mail provided students with general information about the theft as well as a website address through which they could set up a Fraud Alert system on their banking and credit accounts which would notify them of any suspicious credit patterns in the future. Further protective action was left to the discretion of the individual student."
[Comfyllama] This is like saying "Yes we lost your information, but it's your problem not ours."
"One student, who preferred to remain anonymous for this article, was concerned that students were not notified of the theft until almost a month after it occurred. He asked Carnegie Mellon to pay for a credit monitoring service, which would examine past credit history to determine if fraud had already occurred. The university refused, he said."
[Comfyllama] See my previous point above.
"Because of incidents like this, administrators have already begun to reduce the use of social security numbers in campus files. Since January 2006, students’ social security numbers have no longer appeared on course files."
[Comfyllama] Reduce? I like eliminate better.
"Currently, the ISO is working to create a more secure network that will protect students’ identifying information, even in the case of another laptop theft. "
"Last month, the university purchased “Identity Finder,” a system which allows individuals to scan their hard drives and then encrypt, delete, or quarantine a file which is shown to contain personal information, such as a social security number."
[Comfyllama] "Last month" coincides with the timing of this breach.
"“CMU needs to take responsibility” for the current theft, the previously referenced student said, and make sure that those affected receive the support that they need in order to protect their most important possession — their identity."
[Comfyllama] Absolutely they do!
Commentary:
Judging only from what I read in the article, Carnegie Mellon does not seem to be taking the theft of these two laptops very seriously. The comments in the article suggest that they are minimizing the situation and not offering the victims any real help.
This is the second breach in as many days regarding a laptop stolen from a university instructor that contained sensitive information about their students (See University of Iowa)
Past Breaches:
Unknown
Date Reported:10/8/07
Organization:
Carnegie Mellon University
Contractor/Consultant/Branch:
None
Victims:
Carnegie Mellon students who attended certain computer science classes between the summer of 2004 and spring of 2006.
Number Affected:
Unknown
Types of Data:
"significant personal identifying data"
Breach Description:
Two laptops were stolen from a Carnegie Mellon University computer science professor's office in early September, 2007. On the laptops were unencrypted files containing sensitive information about students.
Reference URL:
Story at The Tartan
Report Credit:
Ellen Tworkoski, The Tartan
Response:
From the online article cited above:
"According to University Police reports filed on Sept. 2, the laptops were stolen from the office of a computer science professor in Wean Hall. The door is believed to have been locked and there were no signs of forced entry, according to case officer Lieutenant John Race of the Carnegie Mellon University Police."
"At the time of the theft, there were five computers present in the room, but only two were stolen, both of which were believed to have “contained significant personal identifying data,”"
"Race, as well as members of the Information Security Office (ISO), believe that the laptops were stolen because of their commercial value, not for the information contained in their hard drives. Cases of identity theft are extremely rare on the Carnegie Mellon campus, Race said."
[Comfyllama] There is arguably MORE commercial value in the information than there is in the hardware. I wouldn't be so sure that these laptops were only stolen so that they could be sold. If they were, then what about the purchaser? Should the purchaser be trusted too?
"Laptops which are stolen are typically sold on the streets to some “private citizen who thinks they got a good deal,” he said"
[Comfyllama] See my previous point above.
"Students whose social security numbers were stored on the stolen computers were informed of the theft on the weekend of Sept. 29. The e-mail provided students with general information about the theft as well as a website address through which they could set up a Fraud Alert system on their banking and credit accounts which would notify them of any suspicious credit patterns in the future. Further protective action was left to the discretion of the individual student."
[Comfyllama] This is like saying "Yes we lost your information, but it's your problem not ours."
"One student, who preferred to remain anonymous for this article, was concerned that students were not notified of the theft until almost a month after it occurred. He asked Carnegie Mellon to pay for a credit monitoring service, which would examine past credit history to determine if fraud had already occurred. The university refused, he said."
[Comfyllama] See my previous point above.
"Because of incidents like this, administrators have already begun to reduce the use of social security numbers in campus files. Since January 2006, students’ social security numbers have no longer appeared on course files."
[Comfyllama] Reduce? I like eliminate better.
"Currently, the ISO is working to create a more secure network that will protect students’ identifying information, even in the case of another laptop theft. "
"Last month, the university purchased “Identity Finder,” a system which allows individuals to scan their hard drives and then encrypt, delete, or quarantine a file which is shown to contain personal information, such as a social security number."
[Comfyllama] "Last month" coincides with the timing of this breach.
"“CMU needs to take responsibility” for the current theft, the previously referenced student said, and make sure that those affected receive the support that they need in order to protect their most important possession — their identity."
[Comfyllama] Absolutely they do!
Commentary:
Judging only from what I read in the article, Carnegie Mellon does not seem to be taking the theft of these two laptops very seriously. The comments in the article suggest that they are minimizing the situation and not offering the victims any real help.
This is the second breach in as many days regarding a laptop stolen from a university instructor that contained sensitive information about their students (See University of Iowa)
Past Breaches:
Unknown
Posts Atom 1.0
Comments