Four stolen laptops at the Eastern School District
Technorati Tag: Security Breach
Date Reported:
2/21/08
Organization:
Eastern School District (St. John's, Newfoundland, CA)
Contractor/Consultant/Branch:
None
Victims:
Students
Number Affected:
~28,000
Types of Data:
Names, Medical Care Plan (MCP) numbers, addresses, grade levels, phone numbers, and names of parents/guardians.
Breach Description:
Four laptop computers were stolen from the Eastern School District Atlantic Place offices during a break-in that was discovered on February 17th, 2008. One of the stolen laptops contained personal information belonging to students bussing to and from schools in the district.
Reference URL:
Eastern School District Media Release
CBC News online story
Report Credit:
Mary Tucker, Eastern School District
Response:
From the online sources cited above:
On Sunday, February 17, 2008 it was discovered that four laptop computers were stolen from the Eastern School District’s Atlantic Place offices.
The Royal Newfoundland Constabulary was contacted immediately and they are currently investigating this incident as a Break, Entry and Theft.
As part of the District’s internal investigation, it was discovered that one of the stolen computers contains an electronic database of bussing information regarding approximately 28,000 students.
This information includes student names, MCP numbers, addresses, grade levels, phone numbers and names of parents/guardians.
[Evan] Is all of this information needed in order to track kids on busses? I suppose most of it is in case of emergency. Not a good idea to store it on an unencrypted laptop though, eh?
The stolen computers are password protected, thus limiting access to information. Additionally, the Eastern School District has been advised by the MCP Commission that access to individual medical records is not at risk.
[Evan] Don't be fooled into thinking that the password is going to stop anyone except complete novices or the unmotivated.
"We are very concerned about this theft and possible breach of private information," says Darrin Pike, CEO/Director of Education, Eastern School District. "We have notified all authorities and school administrators and have also taken immediate action with our landlord at Atlantic Place to strengthen our physical security measures."
[Evan] AND encrypt confidential information, AND prohibit the storage of confidential information on mobile devices whenever possible, AND evaluate our internal information security controls, AND…
"We are very concerned," chief executive officer Darrin Pike. "Obviously it's not a good thing, it's not something we want to minimize."
"From what the RNC tells us, [thieves] tend to reformat the hard drives and resell them," Pike said in an interview.
"They're not interested in the data in most cases. They're just interested in the box."
[Evan] I think that this logic is becoming more and more dangerous.
The District will now begin the process of notifying parents which primarily affects 56 schools in the Avalon East region and one school in the Avalon West region.
Commentary:
A stolen laptop containing personal information is nothing really new. What is new is the fact that this information belonged to children.
Keep sensitive data off laptops and other mobile devices. IF it must be written to and/or stored on mobile devices, institute additional controls to protect the data against the physical theft of the device! The fact that the district is going to "strengthen our physical security measures" is good, but it is far from addressing the root of the problem.
Past Breaches:
Unknown
Date Reported:2/21/08
Organization:
Eastern School District (St. John's, Newfoundland, CA)
Contractor/Consultant/Branch:
None
Victims:
Students
Number Affected:
~28,000
Types of Data:
Names, Medical Care Plan (MCP) numbers, addresses, grade levels, phone numbers, and names of parents/guardians.
Breach Description:
Four laptop computers were stolen from the Eastern School District Atlantic Place offices during a break-in that was discovered on February 17th, 2008. One of the stolen laptops contained personal information belonging to students bussing to and from schools in the district.
Reference URL:
Eastern School District Media Release
CBC News online story
Report Credit:
Mary Tucker, Eastern School District
Response:
From the online sources cited above:
On Sunday, February 17, 2008 it was discovered that four laptop computers were stolen from the Eastern School District’s Atlantic Place offices.
The Royal Newfoundland Constabulary was contacted immediately and they are currently investigating this incident as a Break, Entry and Theft.
As part of the District’s internal investigation, it was discovered that one of the stolen computers contains an electronic database of bussing information regarding approximately 28,000 students.
This information includes student names, MCP numbers, addresses, grade levels, phone numbers and names of parents/guardians.
[Evan] Is all of this information needed in order to track kids on busses? I suppose most of it is in case of emergency. Not a good idea to store it on an unencrypted laptop though, eh?
The stolen computers are password protected, thus limiting access to information. Additionally, the Eastern School District has been advised by the MCP Commission that access to individual medical records is not at risk.
[Evan] Don't be fooled into thinking that the password is going to stop anyone except complete novices or the unmotivated.
"We are very concerned about this theft and possible breach of private information," says Darrin Pike, CEO/Director of Education, Eastern School District. "We have notified all authorities and school administrators and have also taken immediate action with our landlord at Atlantic Place to strengthen our physical security measures."
[Evan] AND encrypt confidential information, AND prohibit the storage of confidential information on mobile devices whenever possible, AND evaluate our internal information security controls, AND…
"We are very concerned," chief executive officer Darrin Pike. "Obviously it's not a good thing, it's not something we want to minimize."
"From what the RNC tells us, [thieves] tend to reformat the hard drives and resell them," Pike said in an interview.
"They're not interested in the data in most cases. They're just interested in the box."
[Evan] I think that this logic is becoming more and more dangerous.
The District will now begin the process of notifying parents which primarily affects 56 schools in the Avalon East region and one school in the Avalon West region.
Commentary:
A stolen laptop containing personal information is nothing really new. What is new is the fact that this information belonged to children.
Keep sensitive data off laptops and other mobile devices. IF it must be written to and/or stored on mobile devices, institute additional controls to protect the data against the physical theft of the device! The fact that the district is going to "strengthen our physical security measures" is good, but it is far from addressing the root of the problem.
Past Breaches:
Unknown
Posts Atom 1.0
Comments