Unattended Middle Tennessee State University laptop
Technorati Tag: Security Breach
Date Reported:
2/14/08
Organization:
Middle Tennessee State University (MTSU)
Contractor/Consultant/Branch:
None
Victims:
Current and former students
Number Affected:
~1,500
Types of Data:
Names and Social Security numbers
Breach Description:
A Middle Tennessee State University laptop was left unattended by a professor and used by an unknown (and unauthorized) person to send SPAM emails. The laptop also contained sensitive personal information belonging to current and former students of the school.
Reference URL:
The Tennessean (Gannett) online story
The Daily News Journal online story
WTVF Channel 5 News online story
Report Credit:
The Daily News Journal by way of Attrition.org
Response:
From the online sources cited above:
an unknown person accessed a computer containing the names and Social Security numbers of about 1,500 past and current students
A professor left the university computer unattended in the mass communication department about two weeks ago and an unidentified person is believed to have used the machine to send spam e-mails
[Evan] It is poor practice to have Social Security numbers on the laptop in the first place, but a couple of additional controls could have helped (training & awareness, automatic screensaver lock, etc.).
“Although we have discovered that it was technically possible to access this file containing your personal information, we have no evidence that this file was actually accessed by anyone,” a letter from the university to those affected stated. “We are notifying you simply as a precaution.”
[Evan] Not so simple and not much of a precaution. A true precaution such as prohibiting the use of Social Security numbers (especially on client computers) is simple.
computer analysts with the university thoroughly examined the computer, looking for signs of wrongdoing.
Past and current students had personal information on the computer, but none have reported identity theft related to the incident
“By now or this weekend, everyone, whose information was on the computer, will have received notification from the university,”
school officials urged students to place a fraud alert on their credit report and gave information about a free service that requests creditors to verify identity before authorizing new accounts.
Notable Comments on The Daily News Journal story:
Posted by: Mike on Wed Feb 13, 2008 11:24 pm
Even as a student there, I always wondered why our SS numbers were used as our ID numbers. In this day and age, it IS NOT safe to use your SS number! Especially with how easy a slip-up such as this can happen! Something needs to change! Too bad it takes an event like this happening to even make people consider change.
Posted by: sschroeder on Wed Feb 13, 2008 6:28 pm
What is it going to take to get people to understand that information security is a serious thing??!! Furthermore, what is that type of information doing on a professor's computer? Isn't there another way to identify students rather than use their SS#?
Commentary:
The comments by "Mike" and "sschroeder" are right on.
Past Breaches:
Unknown
Date Reported:2/14/08
Organization:
Middle Tennessee State University (MTSU)
Contractor/Consultant/Branch:
None
Victims:
Current and former students
Number Affected:
~1,500
Types of Data:
Names and Social Security numbers
Breach Description:
A Middle Tennessee State University laptop was left unattended by a professor and used by an unknown (and unauthorized) person to send SPAM emails. The laptop also contained sensitive personal information belonging to current and former students of the school.
Reference URL:
The Tennessean (Gannett) online story
The Daily News Journal online story
WTVF Channel 5 News online story
Report Credit:
The Daily News Journal by way of Attrition.org
Response:
From the online sources cited above:
an unknown person accessed a computer containing the names and Social Security numbers of about 1,500 past and current students
A professor left the university computer unattended in the mass communication department about two weeks ago and an unidentified person is believed to have used the machine to send spam e-mails
[Evan] It is poor practice to have Social Security numbers on the laptop in the first place, but a couple of additional controls could have helped (training & awareness, automatic screensaver lock, etc.).
“Although we have discovered that it was technically possible to access this file containing your personal information, we have no evidence that this file was actually accessed by anyone,” a letter from the university to those affected stated. “We are notifying you simply as a precaution.”
[Evan] Not so simple and not much of a precaution. A true precaution such as prohibiting the use of Social Security numbers (especially on client computers) is simple.
computer analysts with the university thoroughly examined the computer, looking for signs of wrongdoing.
Past and current students had personal information on the computer, but none have reported identity theft related to the incident
“By now or this weekend, everyone, whose information was on the computer, will have received notification from the university,”
school officials urged students to place a fraud alert on their credit report and gave information about a free service that requests creditors to verify identity before authorizing new accounts.
Notable Comments on The Daily News Journal story:
Posted by: Mike on Wed Feb 13, 2008 11:24 pm
Even as a student there, I always wondered why our SS numbers were used as our ID numbers. In this day and age, it IS NOT safe to use your SS number! Especially with how easy a slip-up such as this can happen! Something needs to change! Too bad it takes an event like this happening to even make people consider change.
Posted by: sschroeder on Wed Feb 13, 2008 6:28 pm
What is it going to take to get people to understand that information security is a serious thing??!! Furthermore, what is that type of information doing on a professor's computer? Isn't there another way to identify students rather than use their SS#?
Commentary:
The comments by "Mike" and "sschroeder" are right on.
Past Breaches:
Unknown
Posted by Evan Francen at 2/14/2008 11:52 AM 
Categories: Poor Business Practice, Middle Tennessee State University
Categories: Poor Business Practice, Middle Tennessee State University
Posts Atom 1.0
i am stund reading this article, i didnt know that such things happen in the world
Reply to this