Ferris State University stolen laptop with limited exposure
Technorati Tag: Security Breach
Date Reported:
10/31/07
Organization:
Ferris State University
Contractor/Consultant/Branch:
None
Victims:
Current and prospective students
Number Affected:
18,000
Types of Data:
Names, telephone numbers, dates of birth, email addresses, academic information and student identification numbers
Breach Description:
The automobile of a Ferris State University admissions recruiter was broken into on October 26th, 2007 and a laptop computer containing personal information was stolen. The laptop contained personal information on 18,000 current and prospective students, but did not contain Social Security numbers or financial data.
Reference URL:
Ferris State University Incident Site
WZZM Channel 13 News Report
mlive.com/AP Report
Report Credit:
Ferris State University Communications Center
Response:
From the official Ferris State announcement and online articles cited above:
"On Friday, Oct. 26, 2007, a person broke into the locked automobile of one of the University's admissions recruiters and stole a laptop computer."
"The computer contains personal information regarding applicants for our 2007 and 2008 student classes."
"Up to 18,000 current and potential students could be affected. University administrators tell WZZM 13 News they are more concerned about students receiving unsolicited emails or mailers, rather than identity theft."
[Comfyllama] Unsolicited emails and targeted phishing (spear phishing) would also be my most immediate concerns. Spear phishing is a pretty effective method to obtain information needed to steal an identity. Longer-term, I would also be concerned with identity theft.
"The information does not include social security numbers, driver's license numbers, credit card information, banking information, or financial data of any kind."
[Comfyllama] This is good to know. There is really no reason that a recruiter would ever need this information. It is good security practice to limit available information to only that which is required to carry out an authorized task.
"However, the data file does include name, home address, telephone number, date of birth, e-mail address, academic information, and student identification numbers."
"Access to the laptop computer was protected by user identification and passwords on two different levels."
[Comfyllama] Although two passwords are more difficult to get around that one, passwords are still NOT sufficient to restrict access to confidential information. I am guessing that the "two different levels" referred to are one for the operating system (i.e. Windows logon) and one for the file (i.e. Microsoft Excel or Microsoft Word password), both of which are easily compromised.
"At present, we have had no indication that this information has been accessed or has been misused in any way. The University immediately reported the laptop theft to authorities and an investigation is ongoing."
[Comfyllama] The university deserves credit for the very timely response.
"As a precautionary measure, this information on this site is meant to put you in contact with resources available to those who feel they have been a victim of identity theft or identity fraud."
"Additionally, we have established a toll free number (1-) where you may contact us or you may e-mail us with your questions about this incident."
Commentary:
The number one control missing in this breach is the use of encryption. The university deserves credit for limiting the exposure by not including Social Security numbers and financial data on this laptop. The university also deserves credit for their timely response. In order to handle a security incident “well”, an organization must develop and test incident response procedures. Based on the response by the university, I am almost certain that Ferris State has done this. I am impressed with their response.
The Ferris State University displays the link to their response site prominently on their home page.
Past Breaches:
Unknown
Date Reported:10/31/07
Organization:
Ferris State University
Contractor/Consultant/Branch:
None
Victims:
Current and prospective students
Number Affected:
18,000
Types of Data:
Names, telephone numbers, dates of birth, email addresses, academic information and student identification numbers
Breach Description:
The automobile of a Ferris State University admissions recruiter was broken into on October 26th, 2007 and a laptop computer containing personal information was stolen. The laptop contained personal information on 18,000 current and prospective students, but did not contain Social Security numbers or financial data.
Reference URL:
Ferris State University Incident Site
WZZM Channel 13 News Report
mlive.com/AP Report
Report Credit:
Ferris State University Communications Center
Response:
From the official Ferris State announcement and online articles cited above:
"On Friday, Oct. 26, 2007, a person broke into the locked automobile of one of the University's admissions recruiters and stole a laptop computer."
"The computer contains personal information regarding applicants for our 2007 and 2008 student classes."
"Up to 18,000 current and potential students could be affected. University administrators tell WZZM 13 News they are more concerned about students receiving unsolicited emails or mailers, rather than identity theft."
[Comfyllama] Unsolicited emails and targeted phishing (spear phishing) would also be my most immediate concerns. Spear phishing is a pretty effective method to obtain information needed to steal an identity. Longer-term, I would also be concerned with identity theft.
"The information does not include social security numbers, driver's license numbers, credit card information, banking information, or financial data of any kind."
[Comfyllama] This is good to know. There is really no reason that a recruiter would ever need this information. It is good security practice to limit available information to only that which is required to carry out an authorized task.
"However, the data file does include name, home address, telephone number, date of birth, e-mail address, academic information, and student identification numbers."
"Access to the laptop computer was protected by user identification and passwords on two different levels."
[Comfyllama] Although two passwords are more difficult to get around that one, passwords are still NOT sufficient to restrict access to confidential information. I am guessing that the "two different levels" referred to are one for the operating system (i.e. Windows logon) and one for the file (i.e. Microsoft Excel or Microsoft Word password), both of which are easily compromised.
"At present, we have had no indication that this information has been accessed or has been misused in any way. The University immediately reported the laptop theft to authorities and an investigation is ongoing."
[Comfyllama] The university deserves credit for the very timely response.
"As a precautionary measure, this information on this site is meant to put you in contact with resources available to those who feel they have been a victim of identity theft or identity fraud."
"Additionally, we have established a toll free number (1-) where you may contact us or you may e-mail us with your questions about this incident."
Commentary:
The number one control missing in this breach is the use of encryption. The university deserves credit for limiting the exposure by not including Social Security numbers and financial data on this laptop. The university also deserves credit for their timely response. In order to handle a security incident “well”, an organization must develop and test incident response procedures. Based on the response by the university, I am almost certain that Ferris State has done this. I am impressed with their response.
The Ferris State University displays the link to their response site prominently on their home page.
Past Breaches:
Unknown
Posts Atom 1.0
Comments