Missing University of Akron portable hard drive
Technorati Tag: Security Breach
Date Reported:
1/11/08
Organization:
University of Akron
Contractor/Consultant/Branch:
College of Education
Victims:
Students and graduates of the College of Education
Number Affected:
800
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
A portable hard drive is missing from the University of Akron. According to the university, the hard drive may have been discarded and/or destroyed. The hard drive contained sensitive personal information belonging to current and former students attending classes at the College of Education.
Reference URL:
Akron Beacon Journal News Story
WKYC TV Online Story
Report Credit:
Akron Beacon Journal
Response:
From the online sources cited above:
The University of Akron has informed 800 students and graduates of the College of Education that a portable hard drive containing personal information is missing and may have been discarded or destroyed in December.
[Evan] "May have"?
The university said the device contained Social Security numbers, names and addresses of students and graduates.
[Evan] Is it an acceptable practice to store personal information on a "portable" hard drive? I assume that there is no encryption.
Dr. Cynthia Capers, interim dean of the College of Education, said UA felt it was essential to notify students and graduates even though ''we believe this incident puts them at low risk of identity theft.''
Students and graduates received Federal Trade Commission guidelines to help guard against identity theft and a UA phone numbers and Web address to ask additional questions.
Notable Comment at the Akron Beacon Journal:
"So this is what $20,000 gets you... a stolen identity. Who believes that this device was destroyed? Then they have the nerve to send me a letter asking for a donation!"
Commentary:
It is not mentioned in the news story whether or not the University of Akron permits the storage of confidential information on removable media. Confidential information must be protected better than this. The uncertainty in "may have" been discarded or destroyed is troubling. Organizations that possess confidential information need to be certain.
Confidential information has a life-cycle and must be protected throughout. From creation to destruction. Confidential information should not be allowed to be stored on removable media unless absolutely necessary, and even then requires additional levels of protection such as encryption. Once confidential information no longer has any business use and is authorized for destruction, it must be destroyed in a manner that is controlled and effective. Many organizations rely on a secure data destruction and re-use standards to define acceptable methods for data destruction.
Past Breaches:
October, 2007 - 1,200 University of Akron students affected by lost microfilm
Date Reported:1/11/08
Organization:
University of Akron
Contractor/Consultant/Branch:
College of Education
Victims:
Students and graduates of the College of Education
Number Affected:
800
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
A portable hard drive is missing from the University of Akron. According to the university, the hard drive may have been discarded and/or destroyed. The hard drive contained sensitive personal information belonging to current and former students attending classes at the College of Education.
Reference URL:
Akron Beacon Journal News Story
WKYC TV Online Story
Report Credit:
Akron Beacon Journal
Response:
From the online sources cited above:
The University of Akron has informed 800 students and graduates of the College of Education that a portable hard drive containing personal information is missing and may have been discarded or destroyed in December.
[Evan] "May have"?
The university said the device contained Social Security numbers, names and addresses of students and graduates.
[Evan] Is it an acceptable practice to store personal information on a "portable" hard drive? I assume that there is no encryption.
Dr. Cynthia Capers, interim dean of the College of Education, said UA felt it was essential to notify students and graduates even though ''we believe this incident puts them at low risk of identity theft.''
Students and graduates received Federal Trade Commission guidelines to help guard against identity theft and a UA phone numbers and Web address to ask additional questions.
Notable Comment at the Akron Beacon Journal:
"So this is what $20,000 gets you... a stolen identity. Who believes that this device was destroyed? Then they have the nerve to send me a letter asking for a donation!"
Commentary:
It is not mentioned in the news story whether or not the University of Akron permits the storage of confidential information on removable media. Confidential information must be protected better than this. The uncertainty in "may have" been discarded or destroyed is troubling. Organizations that possess confidential information need to be certain.
Confidential information has a life-cycle and must be protected throughout. From creation to destruction. Confidential information should not be allowed to be stored on removable media unless absolutely necessary, and even then requires additional levels of protection such as encryption. Once confidential information no longer has any business use and is authorized for destruction, it must be destroyed in a manner that is controlled and effective. Many organizations rely on a secure data destruction and re-use standards to define acceptable methods for data destruction.
Past Breaches:
October, 2007 - 1,200 University of Akron students affected by lost microfilm
Posts Atom 1.0
Comments