Stolen Salt Lake Community College laptop
Technorati Tag: Security Breach
Date Reported:
2/26/08
Organization:
Salt Lake Community College ("SLCC")
Contractor/Consultant/Branch:
None
Victims:
Students, faculty and staff
Number Affected:
unsure, maybe 1,000*
*Although the school claims "we called more than 25,000 people"
Types of Data:
Names, addresses, dates of birth, Social Security numbers and bank account numbers.
Breach Description:
A laptop belonging to the Salt Lake Community College is missing and presumably stolen. The laptop may have contained sensitive authentication information that could in turn be used to access resources containing personal information belonging to students, faculty and staff of the school.
Reference URL:
The Salt Lake Tribune online news story
Report Credit:
Roxana Orellana, The Salt Lake Tribune
Response:
From the online source cited above:
SLCC acknowledged a laptop had been stolen, but spokesman Joy Tlou said the school is still unsure whether the laptop taken from the Continuing Community Education of SLCC's Miller campus in Sandy contained internal log-in information for about 1,000 students, faculty and staff.
[Evan] What is "log-in information"? Is Joy Tlou talking about usernames, passwords, or both? Let's assume that it's both. If so, then this is very poor information security practice. There is NO need for anyone to know personal passwords except for the person that it belongs to. A personal password is confidential information that should not be disclosed to anyone. It proves to the system that you are who you proclaim yourself to be (called authentication). No assurance of password confidentiality = no proof that a person (or entity) is who they proclaim to be.
"We know which computer it was and we are trying to ascertain what information was on that computer," Tlou said.
Within a matter of hours of the computer's disappearance, the school began to contact all subscribers to the SLCC Web site through telephone calls, e-mails and a notice on the site.
"By the end of the next day, we called more than 25,000 people," he said.
[Evan] Due to poor information management the school does not know which 1,000 of the 25,000 people were victims, thus they have to call all 25,000?
With a user name and password, an intruder could gain access to a student's "My Page" account, which contains a Social Security number and financial aid information, among other information, students said.
[Evan] Social Security numbers stored in a database accessible through an intranet page with passwords stored in clear-text on a laptop. Sound like a bum deal? I can only venture to guess what controls and processes surround database access.
Tlou said even if log-in information were on the laptop, it "may or may not have been accessible because of the security measures that were already placed on that machine."
[Evan] Like?
"We have done everything we possibly can to make sure everyone is physically safe and that their information is safe," Tlou said. "I can't stress enough that is our No. 1 priority."
[Evan] No, no, no. Everything possible entails much, much more.
He added that the security concern prompted SLCC to accelerate a planned policy change that will require all college personnel to change passwords every 90 days.
[Evan] Regular password changes (if you use them) offers a limited amount of risk mitigation with regards to what caused this breach. The problem is much bigger.
Victim Response:
"I'm upset that they're not telling me everything that happened," Marty Greenlief, SLCC student
Student Dan Behunin said that although SLCC officials tried to assuage his concerns, he's still worried someone may have access to information on his student account. "That information is crucial," Behunin said. "That could ruin you."
Commentary:
I am glad that I do not have any of my personal information under the custodianship of SLCC. Organizations that collect and store confidential information need to design appropriate controls around the security of such information. Judging from the (very) limited information I have about SLCC's information security practices, they have much room for improvement and much work to do.
By the way, did anyone mention encryption?
Past Breaches:
Unknown
Date Reported:2/26/08
Organization:
Salt Lake Community College ("SLCC")
Contractor/Consultant/Branch:
None
Victims:
Students, faculty and staff
Number Affected:
unsure, maybe 1,000*
*Although the school claims "we called more than 25,000 people"
Types of Data:
Names, addresses, dates of birth, Social Security numbers and bank account numbers.
Breach Description:
A laptop belonging to the Salt Lake Community College is missing and presumably stolen. The laptop may have contained sensitive authentication information that could in turn be used to access resources containing personal information belonging to students, faculty and staff of the school.
Reference URL:
The Salt Lake Tribune online news story
Report Credit:
Roxana Orellana, The Salt Lake Tribune
Response:
From the online source cited above:
SLCC acknowledged a laptop had been stolen, but spokesman Joy Tlou said the school is still unsure whether the laptop taken from the Continuing Community Education of SLCC's Miller campus in Sandy contained internal log-in information for about 1,000 students, faculty and staff.
[Evan] What is "log-in information"? Is Joy Tlou talking about usernames, passwords, or both? Let's assume that it's both. If so, then this is very poor information security practice. There is NO need for anyone to know personal passwords except for the person that it belongs to. A personal password is confidential information that should not be disclosed to anyone. It proves to the system that you are who you proclaim yourself to be (called authentication). No assurance of password confidentiality = no proof that a person (or entity) is who they proclaim to be.
"We know which computer it was and we are trying to ascertain what information was on that computer," Tlou said.
Within a matter of hours of the computer's disappearance, the school began to contact all subscribers to the SLCC Web site through telephone calls, e-mails and a notice on the site.
"By the end of the next day, we called more than 25,000 people," he said.
[Evan] Due to poor information management the school does not know which 1,000 of the 25,000 people were victims, thus they have to call all 25,000?
With a user name and password, an intruder could gain access to a student's "My Page" account, which contains a Social Security number and financial aid information, among other information, students said.
[Evan] Social Security numbers stored in a database accessible through an intranet page with passwords stored in clear-text on a laptop. Sound like a bum deal? I can only venture to guess what controls and processes surround database access.
Tlou said even if log-in information were on the laptop, it "may or may not have been accessible because of the security measures that were already placed on that machine."
[Evan] Like?
"We have done everything we possibly can to make sure everyone is physically safe and that their information is safe," Tlou said. "I can't stress enough that is our No. 1 priority."
[Evan] No, no, no. Everything possible entails much, much more.
He added that the security concern prompted SLCC to accelerate a planned policy change that will require all college personnel to change passwords every 90 days.
[Evan] Regular password changes (if you use them) offers a limited amount of risk mitigation with regards to what caused this breach. The problem is much bigger.
Victim Response:
"I'm upset that they're not telling me everything that happened," Marty Greenlief, SLCC student
Student Dan Behunin said that although SLCC officials tried to assuage his concerns, he's still worried someone may have access to information on his student account. "That information is crucial," Behunin said. "That could ruin you."
Commentary:
I am glad that I do not have any of my personal information under the custodianship of SLCC. Organizations that collect and store confidential information need to design appropriate controls around the security of such information. Judging from the (very) limited information I have about SLCC's information security practices, they have much room for improvement and much work to do.
By the way, did anyone mention encryption?
Past Breaches:
Unknown
Posts Atom 1.0
Comments