New England School of Law alumni information online
Technorati Tag: Security Breach
Date Reported:
10/29/07
Organization:
New England School of Law
Contractor/Consultant/Branch:
None
Victims:
New England School of Law alumni
Number Affected:
5,098
Types of Data:
Names, addresses, telephone numbers, Social Security numbers and dates of birth.
Breach Description:
In mid-October, 2007 the New England School of Law was alerted to the fact that sensitive personal information pertaining to the school's alumni was publicly available on the school's Internet web site. The information was also found in Google's search engine and affected 5,098 people.
Reference URL:
The State of New Hampshire Attorney General Breach Notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official News Hampshire breach notification and supporting documentation:
"In mid-October, the New England School of Law was alerted that personal information, including Social Security numbers, of school alumni was available on the a page of the school's website through the Internet search engine Google."
[Comfyllama] I am curious as to how the New England School of Law was alerted.
"Through our research into the incident, we have determined that personal information on 5,098 alumni was accessible"
"includes the alumnus' name, address, telephone number, Social Security number and date of birth"
"The New England School of Law soon will begin notifying affected alumni by personal letter. The letter to affected alumni will include information on preventing identity theft and a telephone number alumni may call to obtain further information"
[Comfyllama] It is not clear whether or not this has already occurred. I have not been able to find any information about this breach in news outlets or on the school's web site.
Commentary:
This is another case of a mistake that could should have been prevented.
Why is it important to keep a student's Social Security number after the person has graduated, and why would anyone except potentially financial aid personnel ever need this information? I wonder if the school uses Social Security numbers for identification. If so, then shame, shame, shame.
Confidential information at rest MUST be encrypted. If this file were properly encrypted, then an inadvertent placement on a web server would not lead to a compromise of confidentiality. This is called (in simplistic terms) "defense-in-depth".
Past Breaches:
Unknown
Date Reported:10/29/07
Organization:
New England School of Law
Contractor/Consultant/Branch:
None
Victims:
New England School of Law alumni
Number Affected:
5,098
Types of Data:
Names, addresses, telephone numbers, Social Security numbers and dates of birth.
Breach Description:
In mid-October, 2007 the New England School of Law was alerted to the fact that sensitive personal information pertaining to the school's alumni was publicly available on the school's Internet web site. The information was also found in Google's search engine and affected 5,098 people.
Reference URL:
The State of New Hampshire Attorney General Breach Notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official News Hampshire breach notification and supporting documentation:
"In mid-October, the New England School of Law was alerted that personal information, including Social Security numbers, of school alumni was available on the a page of the school's website through the Internet search engine Google."
[Comfyllama] I am curious as to how the New England School of Law was alerted.
"Through our research into the incident, we have determined that personal information on 5,098 alumni was accessible"
"includes the alumnus' name, address, telephone number, Social Security number and date of birth"
"The New England School of Law soon will begin notifying affected alumni by personal letter. The letter to affected alumni will include information on preventing identity theft and a telephone number alumni may call to obtain further information"
[Comfyllama] It is not clear whether or not this has already occurred. I have not been able to find any information about this breach in news outlets or on the school's web site.
Commentary:
This is another case of a mistake that could should have been prevented.
Why is it important to keep a student's Social Security number after the person has graduated, and why would anyone except potentially financial aid personnel ever need this information? I wonder if the school uses Social Security numbers for identification. If so, then shame, shame, shame.
Confidential information at rest MUST be encrypted. If this file were properly encrypted, then an inadvertent placement on a web server would not lead to a compromise of confidentiality. This is called (in simplistic terms) "defense-in-depth".
Past Breaches:
Unknown
Posted by Evan Francen at 11/8/2007 12:14 PM 
Categories: New England School of Law, Employee Mistake
Categories: New England School of Law, Employee Mistake
Posts Atom 1.0
Comments