Lost Tennessee Tech flash drive affects 990 students
Technorati Tag: Security Breach
Date Reported:
1/14/08
Organization:
Tennessee Tech University
Contractor/Consultant/Branch:
None
Victims:
Students that lived in the Capital Quad and Crawford dormitories on the Cookeville campus last fall (2007)
Number Affected:
990
Types of Data:
Name and Social Security number
Breach Description:
Officials at Tennessee Tech University are notifying students that they have misplaced a flash drive containing personal information belonging to them.
Reference URL:
Upper Cumberland Daily News Story
Associated Press Story on knoxnews.com
Report Credit:
Upper Cumberland (TN) Daily News
Response:
From the online sources cited above:
COOKEVILLE, Tenn. (Jan. 14, 2008) - About 990 Tennessee Tech University students were notified today that a flash drive containing the name and social security number of students who resided in Capital Quad and Crawford residence halls last fall was recently misplaced.
Although it may be possible the data could be found and accessed by unauthorized individuals, campus officials say they have no evidence that it has been discovered or used by anyone else.
“We are notifying the affected students as a precaution,” said Marc Burnett, vice president for Student Affairs.
[Evan] A more effective precaution would have been not to allow confidential data on flash drives or to ban flash drives all together!
“We will contact the major credit reporting agencies and inform them that some of our students’ personal information may have been compromised because we want to err on the side of caution.”
[Evan] The act of copying personal information to a flash drive without additional controls is reckless and lacks caution.
university officials recommend students on the list place a "fraud alert" on their credit files with the three major credit bureaus.
The university also created a web site at www.tntech.edu/securityID to make people aware of the situation and provide information
“We regret what has happened and apologize for the inconvenience this may cause,” Burnett said. “However, we wanted those students to be fully informed of any potential risk, no matter how small it might be.
The Residential Life department and TTU will continually review our processes in order to maintain personally identifiable information in a secure environment.”
[Evan] I don't understand why the Residential Life department needs to maintain Social Security numbers at all.
Within the year, all of the student information in TTU’s campus databases will move to a new data system that replaces student social security numbers with individually assigned identification numbers.
[Evan] Excellent!
Commentary:
Flash drives have dramatically increased in capacity and decreased in size over the last couple of years. It's now possible to get a 16GB flash drive for less than $100. If the convenience offered by using a flash drive is too compelling to avoid, then at least encrypt the data. There are low-cost and even free options to encrypt confidential data, and most (if not all) major flash memory manufacturers offer encryption options to fit the need (for instance, the SanDisk Cruzer® Titanium Plus).
Personally, I haven't evaluated any of the built-in vendor solutions, so I can't comment on their effectiveness.
Past Breaches:
September, 2007 - Tennessee Tech employee mistake affects 3,100 students
Date Reported:1/14/08
Organization:
Tennessee Tech University
Contractor/Consultant/Branch:
None
Victims:
Students that lived in the Capital Quad and Crawford dormitories on the Cookeville campus last fall (2007)
Number Affected:
990
Types of Data:
Name and Social Security number
Breach Description:
Officials at Tennessee Tech University are notifying students that they have misplaced a flash drive containing personal information belonging to them.
Reference URL:
Upper Cumberland Daily News Story
Associated Press Story on knoxnews.com
Report Credit:
Upper Cumberland (TN) Daily News
Response:
From the online sources cited above:
COOKEVILLE, Tenn. (Jan. 14, 2008) - About 990 Tennessee Tech University students were notified today that a flash drive containing the name and social security number of students who resided in Capital Quad and Crawford residence halls last fall was recently misplaced.
Although it may be possible the data could be found and accessed by unauthorized individuals, campus officials say they have no evidence that it has been discovered or used by anyone else.
“We are notifying the affected students as a precaution,” said Marc Burnett, vice president for Student Affairs.
[Evan] A more effective precaution would have been not to allow confidential data on flash drives or to ban flash drives all together!
“We will contact the major credit reporting agencies and inform them that some of our students’ personal information may have been compromised because we want to err on the side of caution.”
[Evan] The act of copying personal information to a flash drive without additional controls is reckless and lacks caution.
university officials recommend students on the list place a "fraud alert" on their credit files with the three major credit bureaus.
The university also created a web site at www.tntech.edu/securityID to make people aware of the situation and provide information
“We regret what has happened and apologize for the inconvenience this may cause,” Burnett said. “However, we wanted those students to be fully informed of any potential risk, no matter how small it might be.
The Residential Life department and TTU will continually review our processes in order to maintain personally identifiable information in a secure environment.”
[Evan] I don't understand why the Residential Life department needs to maintain Social Security numbers at all.
Within the year, all of the student information in TTU’s campus databases will move to a new data system that replaces student social security numbers with individually assigned identification numbers.
[Evan] Excellent!
Commentary:
Flash drives have dramatically increased in capacity and decreased in size over the last couple of years. It's now possible to get a 16GB flash drive for less than $100. If the convenience offered by using a flash drive is too compelling to avoid, then at least encrypt the data. There are low-cost and even free options to encrypt confidential data, and most (if not all) major flash memory manufacturers offer encryption options to fit the need (for instance, the SanDisk Cruzer® Titanium Plus).
Personally, I haven't evaluated any of the built-in vendor solutions, so I can't comment on their effectiveness.
Past Breaches:
September, 2007 - Tennessee Tech employee mistake affects 3,100 students
Posts Atom 1.0
Comments