Stolen CUNY laptop exposes 23,000 students
Technorati Tag: Security Breach
Date Reported:
11/01/07
Organization:
City University of New York (CUNY)
Contractor/Consultant/Branch:
None
Victims:
Current and former university students who were recipients of the Academic Competency Grant
Number Affected:
"over 23,000"
Types of Data:
Names, Social Security numbers, citizenship status, GPA and the "expected family contribution toward tuition"
Breach Description:
A laptop belonging to the City University of New York (CUNY) was stolen from a financial aid office in Midtown New York that contained sensitive personal information on 23,000 current and former university students.
Reference URL:
The New York Post Story
NY1 News Story
Sherry Mazzocchi's excellent coverage for The Ticker (RECOMMENDED READING)
Report Credit:
Yoav Gonen, Education reporter for the New York Post
Response:
From the online articles cited above:
"At the end of October, the City University of New York informed over 23,000 students and former students, who were recipients of financial aid, that they were victims of identity theft."
[Comfyllama] I want to point out that these students are not YET victims of identity theft, per se. The are however prime candidates.
"The laptop contained a file with names, social security numbers, citizenship status, GPA and the expected family contribution toward tuition of the student recipients of the Academic Competency Grant throughout the CUNY system."
"Harvey Shifter, a spokesperson for CUNY's Financial Aid office, described the laptop as inoperable. "When you turned it on," he said, "you would get a blue screen." In addition, he said the file was password protected."
[Comfyllama] A blue screen (BSOD) and password DO NOT ensure security by any means. For someone interested in the data on the laptop and possessing any computer competence, these are simply nuisances.
"Shifter said that it was a few days before the financial aid office noticed that the laptop was missing. The laptop was stored in a room that required the knowledge of a combination to gain access."
[Comfyllama] Sounds like someone knew the combination, eh?
"While a police report was filed, there are no suspects and the police, Shifter said, have closed the case."
[Comfyllama] I do not blame the police for closing the case. The chances of finding this laptop are nearly nil.
"CUNY suggests that students monitor their credit reports as well as put a fraud alert on their accounts. By calling any of the three major credit agencies, Experian, Equifax or Transunion and implementing a fraud alert, it will automatically be adopted by all three agencies."
[Comfyllama] Thank you for the suggestion CUNY. Now may we make a suggestion to you? Take the security of the information you have seriously, especially information that belongs to people other than yourself!!! There is absolutely no reason to allow sensitive information on a laptop without encryption. It is difficult to say you didn't know any better.
"Shifter said that he has not heard of any suspicious activity or economic loss due to the theft. When asked what steps CUNY would take if students did incur losses, he said, "I don't have an answer at this point." He did say that in response to the theft, CUNY will no longer store sensitive data on laptops."
[Comfyllama] No longer storing sensitive data on laptops is a start. How about flash drives, CDs, DVDs, backup tapes, personal computers, etc.? How will CUNY enforce this new policy? Will CUNY employ encryption for sensitive data at rest? These are all serious questions (and more) that need to be answered and communicated to the people that have entrusted the university with their information.
Victim Reactions:
"I don't understand how a laptop with financial aid information gets stolen in the first place,"
"It's ridiculous," said Ken Krivac, of Queens, whose 19-year-old daughter had attended Queensborough Community College. "It's a young girl starting off in life and everything's been compromised."
"I was trying to get a job and they weren't able to do a background check" because of her credit alerts
Commentary:
I assume that there is not an encryption or other security policy in place at CUNY that prohibits the storage of sensitive information on laptops with or without encryption. I assume this based on the information in the articles and responses. I would have to go back and count the number of victims this year that have had their personal information compromised through a lost or stolen laptop without encryption. When I get some time, I will count it up. Its sickening.
You cannot ever guarantee the security of information, but if you do not know information security best practices, methods and techniques or are unwilling to hire someone to consult you on such matters, then do not accept, create, access or store sensitive information. I can understand breaches that occur through human error and technical vulnerabilities much more than I can accept breaches that occur through negligence.
Past Breaches:
Unknown
Date Reported:11/01/07
Organization:
City University of New York (CUNY)
Contractor/Consultant/Branch:
None
Victims:
Current and former university students who were recipients of the Academic Competency Grant
Number Affected:
"over 23,000"
Types of Data:
Names, Social Security numbers, citizenship status, GPA and the "expected family contribution toward tuition"
Breach Description:
A laptop belonging to the City University of New York (CUNY) was stolen from a financial aid office in Midtown New York that contained sensitive personal information on 23,000 current and former university students.
Reference URL:
The New York Post Story
NY1 News Story
Sherry Mazzocchi's excellent coverage for The Ticker (RECOMMENDED READING)
Report Credit:
Yoav Gonen, Education reporter for the New York Post
Response:
From the online articles cited above:
"At the end of October, the City University of New York informed over 23,000 students and former students, who were recipients of financial aid, that they were victims of identity theft."
[Comfyllama] I want to point out that these students are not YET victims of identity theft, per se. The are however prime candidates.
"The laptop contained a file with names, social security numbers, citizenship status, GPA and the expected family contribution toward tuition of the student recipients of the Academic Competency Grant throughout the CUNY system."
"Harvey Shifter, a spokesperson for CUNY's Financial Aid office, described the laptop as inoperable. "When you turned it on," he said, "you would get a blue screen." In addition, he said the file was password protected."
[Comfyllama] A blue screen (BSOD) and password DO NOT ensure security by any means. For someone interested in the data on the laptop and possessing any computer competence, these are simply nuisances.
"Shifter said that it was a few days before the financial aid office noticed that the laptop was missing. The laptop was stored in a room that required the knowledge of a combination to gain access."
[Comfyllama] Sounds like someone knew the combination, eh?
"While a police report was filed, there are no suspects and the police, Shifter said, have closed the case."
[Comfyllama] I do not blame the police for closing the case. The chances of finding this laptop are nearly nil.
"CUNY suggests that students monitor their credit reports as well as put a fraud alert on their accounts. By calling any of the three major credit agencies, Experian, Equifax or Transunion and implementing a fraud alert, it will automatically be adopted by all three agencies."
[Comfyllama] Thank you for the suggestion CUNY. Now may we make a suggestion to you? Take the security of the information you have seriously, especially information that belongs to people other than yourself!!! There is absolutely no reason to allow sensitive information on a laptop without encryption. It is difficult to say you didn't know any better.
"Shifter said that he has not heard of any suspicious activity or economic loss due to the theft. When asked what steps CUNY would take if students did incur losses, he said, "I don't have an answer at this point." He did say that in response to the theft, CUNY will no longer store sensitive data on laptops."
[Comfyllama] No longer storing sensitive data on laptops is a start. How about flash drives, CDs, DVDs, backup tapes, personal computers, etc.? How will CUNY enforce this new policy? Will CUNY employ encryption for sensitive data at rest? These are all serious questions (and more) that need to be answered and communicated to the people that have entrusted the university with their information.
Victim Reactions:
"I don't understand how a laptop with financial aid information gets stolen in the first place,"
"It's ridiculous," said Ken Krivac, of Queens, whose 19-year-old daughter had attended Queensborough Community College. "It's a young girl starting off in life and everything's been compromised."
"I was trying to get a job and they weren't able to do a background check" because of her credit alerts
Commentary:
I assume that there is not an encryption or other security policy in place at CUNY that prohibits the storage of sensitive information on laptops with or without encryption. I assume this based on the information in the articles and responses. I would have to go back and count the number of victims this year that have had their personal information compromised through a lost or stolen laptop without encryption. When I get some time, I will count it up. Its sickening.
You cannot ever guarantee the security of information, but if you do not know information security best practices, methods and techniques or are unwilling to hire someone to consult you on such matters, then do not accept, create, access or store sensitive information. I can understand breaches that occur through human error and technical vulnerabilities much more than I can accept breaches that occur through negligence.
Past Breaches:
Unknown
Posts Atom 1.0
Comments