Stolen Penn State laptop had information on 677
Technorati Tag: Security Breach
Date Reported:
1/25/08
Organization:
Pennsylvania State University
Contractor/Consultant/Branch:
None
Victims:
Certain students attending between 1999 and 2004.
Number Affected:
677
Types of Data:
Personally identifiable information including Social Security numbers
Breach Description:
A laptop was stolen from a Penn State faculty member that contained sensitive personal information belonging to students attending the school between 1999 and 2004 while the person was travelling earlier this month (January, 2008).
Reference URL:
The Daily Collegian Online
Penn State Live
KDKA News Channel 2
Report Credit:
Lauren Boyer, The Daily Collegian
Response:
From the online sources cited above:
A university laptop containing archived information and social security numbers for 677 students attending Penn State between 1999 and 2004 was recently stolen from a faculty member while traveling earlier this month.
[Evan] I assume that this laptop was not encrypted.
David Lindstrom, chief privacy officer at Penn State, said he believes the theft was random and "had nothing to do with Penn State."
"We have no reason to believe anybody's information has been compromised, but you need to take precautions, watch your credit, and just be careful," he said.
[Evan] The mentality implied by this statement puzzles me. "You need to take precautions, watch your credit, and just be careful" as advice to affected individuals is insulting. Isn't Penn State the information custodian?
Lindstrom wouldn't reveal the location of the theft, because he doesn't "want the bad guys to know what they have."
[Evan] IF the "bad guys" are motivated by identity theft, then they already know what they have. IF the "bad guys" are curious, they might find what they have. IF the "bad guys" are dumb, they wouldn't know the difference. It seems like most "bad guys' are dumb, so take that for what its worth.
Lindstrom added that, as required by law, letters are being sent to individuals whose information was believed to be in the laptop.
"It's also on the National Crime Information Center database, so every police department in the United States can try to find it," he said.
[Evan] Do you think that every police department in the United States will? Not likely.
Lindstrom said the type of information stored on the stolen laptop is no longer stored on devices.
[Evan] Good! This would be one very good information security practice.
"That was the way the university used to do business," he said. "We converted in 2005 to using the Penn State ID number to store information."
He added that university laptops have been stolen before and recovered, but this is the first time this type of sensitive information has been at risk of exposure.
Commentary:
There is no mention of the school's policy and practice in terms of storing confidential information on mobile devices such as flash drives, CDs, laptops, DVDs, etc. I could comment more on the remarks from the school, but I'll leave that to you.
For new readers and those who are new to information security:
A laptop + confidential information - encryption = bad.
Past Breaches:
Unknown

1/25/08
Organization:
Pennsylvania State University
Contractor/Consultant/Branch:
None
Victims:
Certain students attending between 1999 and 2004.
Number Affected:
677
Types of Data:
Personally identifiable information including Social Security numbers
Breach Description:
A laptop was stolen from a Penn State faculty member that contained sensitive personal information belonging to students attending the school between 1999 and 2004 while the person was travelling earlier this month (January, 2008).
Reference URL:
The Daily Collegian Online
Penn State Live
KDKA News Channel 2
Report Credit:
Lauren Boyer, The Daily Collegian
Response:
From the online sources cited above:
A university laptop containing archived information and social security numbers for 677 students attending Penn State between 1999 and 2004 was recently stolen from a faculty member while traveling earlier this month.
[Evan] I assume that this laptop was not encrypted.
David Lindstrom, chief privacy officer at Penn State, said he believes the theft was random and "had nothing to do with Penn State."
"We have no reason to believe anybody's information has been compromised, but you need to take precautions, watch your credit, and just be careful," he said.
[Evan] The mentality implied by this statement puzzles me. "You need to take precautions, watch your credit, and just be careful" as advice to affected individuals is insulting. Isn't Penn State the information custodian?
Lindstrom wouldn't reveal the location of the theft, because he doesn't "want the bad guys to know what they have."
[Evan] IF the "bad guys" are motivated by identity theft, then they already know what they have. IF the "bad guys" are curious, they might find what they have. IF the "bad guys" are dumb, they wouldn't know the difference. It seems like most "bad guys' are dumb, so take that for what its worth.
Lindstrom added that, as required by law, letters are being sent to individuals whose information was believed to be in the laptop.
"It's also on the National Crime Information Center database, so every police department in the United States can try to find it," he said.
[Evan] Do you think that every police department in the United States will? Not likely.
Lindstrom said the type of information stored on the stolen laptop is no longer stored on devices.
[Evan] Good! This would be one very good information security practice.
"That was the way the university used to do business," he said. "We converted in 2005 to using the Penn State ID number to store information."
He added that university laptops have been stolen before and recovered, but this is the first time this type of sensitive information has been at risk of exposure.
Commentary:
There is no mention of the school's policy and practice in terms of storing confidential information on mobile devices such as flash drives, CDs, laptops, DVDs, etc. I could comment more on the remarks from the school, but I'll leave that to you.
For new readers and those who are new to information security:
A laptop + confidential information - encryption = bad.
Past Breaches:
Unknown
Comments