Lasell College IT employee suspected in breach
Technorati Tag: Security Breach
Date Reported:
3/11/08
Organization:
Lasell College
Contractor/Consultant/Branch:
None
Victims:
"current and former students, faculty, staff, and alumni"
Number Affected:
10,500
Types of Data:
"names and social security numbers, among other information"
Breach Description:
"Lasell College recently learned that on or about February 6, 2008, an employee without proper authority accessed the College's computer network. Despite our efforts, we could not determine if any personal information contained in the databases on the College's network was actually compromised -only that the opportunity for unauthorized access or use of personal information existed."
Reference URL:
Lasell College News Advisory
The New Hampshire Attorney General breach notification
The Boston Globe
Report Credit:
The New Hampshire State Attorney General
Response:
From the online sources cited above:
Someone hacked into the Lasell College computer network, accessing data that contains personal information, including the names and Social Security numbers of current and former students, faculty, staff, and alumni.
It appears that as many as 20,500 individuals could have been affected
there has been no confirmed misuse of the data
The hacker is suspected to be an employee in the school's Department of Information Technology.
[Evan] What do you do when an IT employee commits fraud or oversteps his/her duties? This is a real challenge. Lasell College deserves credit for detecting the unusual activity. This is one (of many) reasons why information security is NOT an IT function.
University officials said they first discovered the suspicious activity on Feb. 6 and promptly began an investigation. They said they notified local law enforcement authorities and attorneys general and other officials in states where the affected individuals reside.
"We deeply regret this situation and are taking steps to investigate what has happened and to put measures in place to improve the protection of our data and to limit the data we keep to what we really need," Deborah Gelch, the college's chief information officer, said in a statement.
The College plans to begin notifying the affected individuals in the next several days.
Please know that the College also took immediate steps to ensure further the security of its information systems going forward. The College's actions in this regard are ongoing.
[Evan] Keyword is "ongoing". Excellent. Information security is always an ongoing lifecycle-type discipline.
If you have questions or concerns you should call First Advantage Corporation at 1-.
The College takes data security very seriously and has taken steps to minimize the risks from this incident. We will notify you if there are any significant developments that occur in the future. We will post any new information at www.Lasellemergency.net.
Commentary:
There have been quite a few information security studies involving IT personnel that overstep their duties and breach information security controls. In most organizations, information security personnel report up through the IT organization (such as the CIO, VP of IT, etc.). In my opinion, this is a mistake. Information security is a business issue, not an IT or technology issue.
I like the response from Lasell. I think that IT personnel security breaches often times go undetected.
Past Breaches:
Unknown
Date Reported:3/11/08
Organization:
Lasell College
Contractor/Consultant/Branch:
None
Victims:
"current and former students, faculty, staff, and alumni"
Number Affected:
10,500
Types of Data:
"names and social security numbers, among other information"
Breach Description:
"Lasell College recently learned that on or about February 6, 2008, an employee without proper authority accessed the College's computer network. Despite our efforts, we could not determine if any personal information contained in the databases on the College's network was actually compromised -only that the opportunity for unauthorized access or use of personal information existed."
Reference URL:
Lasell College News Advisory
The New Hampshire Attorney General breach notification
The Boston Globe
Report Credit:
The New Hampshire State Attorney General
Response:
From the online sources cited above:
Someone hacked into the Lasell College computer network, accessing data that contains personal information, including the names and Social Security numbers of current and former students, faculty, staff, and alumni.
It appears that as many as 20,500 individuals could have been affected
there has been no confirmed misuse of the data
The hacker is suspected to be an employee in the school's Department of Information Technology.
[Evan] What do you do when an IT employee commits fraud or oversteps his/her duties? This is a real challenge. Lasell College deserves credit for detecting the unusual activity. This is one (of many) reasons why information security is NOT an IT function.
University officials said they first discovered the suspicious activity on Feb. 6 and promptly began an investigation. They said they notified local law enforcement authorities and attorneys general and other officials in states where the affected individuals reside.
"We deeply regret this situation and are taking steps to investigate what has happened and to put measures in place to improve the protection of our data and to limit the data we keep to what we really need," Deborah Gelch, the college's chief information officer, said in a statement.
The College plans to begin notifying the affected individuals in the next several days.
Please know that the College also took immediate steps to ensure further the security of its information systems going forward. The College's actions in this regard are ongoing.
[Evan] Keyword is "ongoing". Excellent. Information security is always an ongoing lifecycle-type discipline.
If you have questions or concerns you should call First Advantage Corporation at 1-.
The College takes data security very seriously and has taken steps to minimize the risks from this incident. We will notify you if there are any significant developments that occur in the future. We will post any new information at www.Lasellemergency.net.
Commentary:
There have been quite a few information security studies involving IT personnel that overstep their duties and breach information security controls. In most organizations, information security personnel report up through the IT organization (such as the CIO, VP of IT, etc.). In my opinion, this is a mistake. Information security is a business issue, not an IT or technology issue.
I like the response from Lasell. I think that IT personnel security breaches often times go undetected.
Past Breaches:
Unknown
Posts Atom 1.0
Comments