Stolen SunGard laptop affects at least 10 post-secondary schools
Technorati Tag: Security Breach
Date Reported:
4/17/08
Organization:
Various post-secondary schools, including but not necessarily limited to:
Central Connecticut State University
Eastern Connecticut State University
Southern Connecticut State University
Western Connecticut State University
Northwestern Michigan College
Northwest Missouri State University
Buffalo State College
State University College at Brockport
Monroe Community College
Contractor/Consultant/Branch:
SunGard Higher Education*
*From the SunGard Higher Education "About Us" page:
"SunGard Higher Education provides software, strategic consulting, and technology management services to colleges and universities. We help more than 1,600 institutions worldwide strengthen institutional performance by improving constituent services, increasing accountability, and enhancing the education experience.
SunGard Higher Education has a vision to unify people, process, and technology in an environment that addresses the needs of higher education institutions and the people they serve. We call this vision the Unified Digital Campus."
[Evan] All of "the needs" except one critical one... SECURITY!
Victims:
Students and a limited number of employees
Number Affected:
Unknown, but at least 23702
Types of Data:
Personal information including names, Social Security numbers and financial aid information
Breach Description:
"A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers."
Reference URL:
SunGard Higher Education (general)
The News-Times (Connecticut State University Schools)
Associated Press Connecticut (Connecticut State University System)
Associated Press Michigan (Northwestern Michigan College)
Maryville Daily Forum (Northwest Missouri State University)
The Buffalo News (Buffalo State College)
Democrat and Chronicle (State University of New York schools)
Northwestern Michigan College
Buffalo State College
State University College at Brockport
Report Credit:
SunGard Higher Education
Response:
From the online sources cited above:
A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers.
Security teams from affected institutions and SunGard Higher Education are working together to analyze and verify the data and notify affected individuals.
The laptop was protected with a strong password to access the operating system.
[Evan] It could be the strongest damn password in the world and still not provide an adequate level of security in my opinion. Operating system passwords (especially Windows) can be bypassed in a matter of seconds. This is a poor attempt to minimize the incident.
The computer was password-protected but contained unencrypted files with personally identifiable data
[Evan] Even though encryption is not the "end all", it would have (in conjunction with other controls) reduced the risk of exposure to a level that is acceptable to many organizations (mine included).
All affected customers have been notified. Customer names will not be disclosed for privacy and security reasons as the investigation continues.
[Evan] We already know of at least 10 post-secondary institutions.
The laptop was stolen in New York on March 13 and state officials say it contains the names and personal information of 3,502 present and former students of the four CSU universities.
could put the personal information of 1,600 Northern Michigan College students from 2003 at risk.
could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.
Northwest believes it followed all appropriate internal procedures for protecting the privacy of its students. For its part, SunGard Higher Education has accepted responsibility for this incident and is working with the University to minimize any adverse consequences.
[Evan] This is a classic misunderstanding of the roles and responsibilities for information security governance and management. The custodians of the personal information were the schools AND SunGard, not only SunGard. It is the responsibility of the schools (as co-custodians) to require certain information protections from their vendors and contractors. This should be done through policy, contractual language and regular audit/enforcement.
Social Security numbers of about 16,000 current and former Buffalo State College students
affected thousands of students at State University College at Buffalo, State University College at Brockport and Monroe Community College.
We believe that the laptop was stolen for the hardware rather than the data. We do not know if any personally identifiable data was accessed by the thieves.
[Evan] This is another statement meant to minimize the impact of the incident. I do not doubt that often times computer equipment is stolen for the hardware value, but how do we know? I am guessing that more and more criminals are examining the contents of poorly secured computing devices and looking for additional opportunities. The "laptop was stolen for the hardware" argument doesn't work anymore.
The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.
The laptop was taken from an employee of SunGard, a Pennsylvania-based computer software company that provides Buffalo State’s records system, said Voldemar Innus, a college vice president and chief information officer.
Innus also said the laptop was secure.
[Evan] No offense Mr. Innus, but the laptop WAS NOT secure.
"The laptop was stolen for its own worth as hardware," Innus said. "We do not believe it was stolen because of the information that was on it. And it was heavily password protected, we’re told."
"The risk I would say is not that high, but that doesn’t matter," Innus said. "There are steps we need to take because of what happened."
[Evan] People like to throw these terms like "secure" and "risk" around without any validation. How did Mr. Innus determine the risk (of exposure and/or misuse) with respect to this incident?
The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services,
A dedicated Web site containing updated information may be accessed at www.sungardhe.com/laptoptheft.
A help desk has been established with a toll-free number, , to respond to questions from affected individuals.
Credit monitoring will be provided at no cost to the affected individuals, for a period of one year.
[Evan] Credit monitoring is a post-fraud activity. One year is very limited for information that has a much longer lifespan.
Buffalo State student reaction:
In a campus dormitory, Ben Bissell, a sophomore special education major, and his friend Thomas Dennis, a freshman English education major, were making housing arrangements for next year. Bissell said he got the e-mail and was aware of the situation. Dennis was not.
Bissell was surprised such sensitive information could be placed in such a portable device as a laptop, which could easily be lost or stolen.
[Evan] Mr. Bissell is a "data owner" in this instance. The school and SunGard are "data custodians". In simplistic terms, data owners dictate what level of protection is required for the data that they own and data custodians apply the designated level of protection. Did the school and SunGard apply the designated level of protection in this case?
"You’d think it would be somewhat secure," Bissell said of his personal information.
He plans to closely monitor his bank statements and account activity following the announcement.
Omar Vargas, a sophomore elementary education major, told a reporter it was the first he had heard of the stolen laptop, admitting he feels "less secure" knowing about it.
"There’s enough things to handle being on campus, like going to classes and deadlines," Vargas said. "Then, just to find out my personal information is threatened is like, man, who knows what that could jeopardize."
[Evan] Very true. If we all just did what we were supposed to do, we wouldn't have to worry so much about what others aren't doing.
"I could wind up with bad credit when I’m on a good roll."
Commentary:
I provided a lot of my commentary above. There is no excuse that I can think of for such poor information security practice and management. Can the people running these companies (such as SunGard) and those responsible for information security claim they didn't know any better? Does it not go against SunGard Higher Education (or school) policy to store confidential information on a laptop while relying solely on operating system level passwords?
Nuts.
Past Breaches:
Unknown
Date Reported:4/17/08
Organization:
Various post-secondary schools, including but not necessarily limited to:
Central Connecticut State University
Eastern Connecticut State University
Southern Connecticut State University
Western Connecticut State University
Northwestern Michigan College
Northwest Missouri State University
Buffalo State College
State University College at Brockport
Monroe Community College
Contractor/Consultant/Branch:
SunGard Higher Education*
*From the SunGard Higher Education "About Us" page:
"SunGard Higher Education provides software, strategic consulting, and technology management services to colleges and universities. We help more than 1,600 institutions worldwide strengthen institutional performance by improving constituent services, increasing accountability, and enhancing the education experience.
SunGard Higher Education has a vision to unify people, process, and technology in an environment that addresses the needs of higher education institutions and the people they serve. We call this vision the Unified Digital Campus."
[Evan] All of "the needs" except one critical one... SECURITY!
Victims:
Students and a limited number of employees
Number Affected:
Unknown, but at least 23702
Types of Data:
Personal information including names, Social Security numbers and financial aid information
Breach Description:
"A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers."
Reference URL:
SunGard Higher Education (general)
The News-Times (Connecticut State University Schools)
Associated Press Connecticut (Connecticut State University System)
Associated Press Michigan (Northwestern Michigan College)
Maryville Daily Forum (Northwest Missouri State University)
The Buffalo News (Buffalo State College)
Democrat and Chronicle (State University of New York schools)
Northwestern Michigan College
Buffalo State College
State University College at Brockport
Report Credit:
SunGard Higher Education
Response:
From the online sources cited above:
A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers.
Security teams from affected institutions and SunGard Higher Education are working together to analyze and verify the data and notify affected individuals.
The laptop was protected with a strong password to access the operating system.
[Evan] It could be the strongest damn password in the world and still not provide an adequate level of security in my opinion. Operating system passwords (especially Windows) can be bypassed in a matter of seconds. This is a poor attempt to minimize the incident.
The computer was password-protected but contained unencrypted files with personally identifiable data
[Evan] Even though encryption is not the "end all", it would have (in conjunction with other controls) reduced the risk of exposure to a level that is acceptable to many organizations (mine included).
All affected customers have been notified. Customer names will not be disclosed for privacy and security reasons as the investigation continues.
[Evan] We already know of at least 10 post-secondary institutions.
The laptop was stolen in New York on March 13 and state officials say it contains the names and personal information of 3,502 present and former students of the four CSU universities.
could put the personal information of 1,600 Northern Michigan College students from 2003 at risk.
could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.
Northwest believes it followed all appropriate internal procedures for protecting the privacy of its students. For its part, SunGard Higher Education has accepted responsibility for this incident and is working with the University to minimize any adverse consequences.
[Evan] This is a classic misunderstanding of the roles and responsibilities for information security governance and management. The custodians of the personal information were the schools AND SunGard, not only SunGard. It is the responsibility of the schools (as co-custodians) to require certain information protections from their vendors and contractors. This should be done through policy, contractual language and regular audit/enforcement.
Social Security numbers of about 16,000 current and former Buffalo State College students
affected thousands of students at State University College at Buffalo, State University College at Brockport and Monroe Community College.
We believe that the laptop was stolen for the hardware rather than the data. We do not know if any personally identifiable data was accessed by the thieves.
[Evan] This is another statement meant to minimize the impact of the incident. I do not doubt that often times computer equipment is stolen for the hardware value, but how do we know? I am guessing that more and more criminals are examining the contents of poorly secured computing devices and looking for additional opportunities. The "laptop was stolen for the hardware" argument doesn't work anymore.
The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.
The laptop was taken from an employee of SunGard, a Pennsylvania-based computer software company that provides Buffalo State’s records system, said Voldemar Innus, a college vice president and chief information officer.
Innus also said the laptop was secure.
[Evan] No offense Mr. Innus, but the laptop WAS NOT secure.
"The laptop was stolen for its own worth as hardware," Innus said. "We do not believe it was stolen because of the information that was on it. And it was heavily password protected, we’re told."
"The risk I would say is not that high, but that doesn’t matter," Innus said. "There are steps we need to take because of what happened."
[Evan] People like to throw these terms like "secure" and "risk" around without any validation. How did Mr. Innus determine the risk (of exposure and/or misuse) with respect to this incident?
The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services,
A dedicated Web site containing updated information may be accessed at www.sungardhe.com/laptoptheft.
A help desk has been established with a toll-free number, , to respond to questions from affected individuals.
Credit monitoring will be provided at no cost to the affected individuals, for a period of one year.
[Evan] Credit monitoring is a post-fraud activity. One year is very limited for information that has a much longer lifespan.
Buffalo State student reaction:
In a campus dormitory, Ben Bissell, a sophomore special education major, and his friend Thomas Dennis, a freshman English education major, were making housing arrangements for next year. Bissell said he got the e-mail and was aware of the situation. Dennis was not.
Bissell was surprised such sensitive information could be placed in such a portable device as a laptop, which could easily be lost or stolen.
[Evan] Mr. Bissell is a "data owner" in this instance. The school and SunGard are "data custodians". In simplistic terms, data owners dictate what level of protection is required for the data that they own and data custodians apply the designated level of protection. Did the school and SunGard apply the designated level of protection in this case?
"You’d think it would be somewhat secure," Bissell said of his personal information.
He plans to closely monitor his bank statements and account activity following the announcement.
Omar Vargas, a sophomore elementary education major, told a reporter it was the first he had heard of the stolen laptop, admitting he feels "less secure" knowing about it.
"There’s enough things to handle being on campus, like going to classes and deadlines," Vargas said. "Then, just to find out my personal information is threatened is like, man, who knows what that could jeopardize."
[Evan] Very true. If we all just did what we were supposed to do, we wouldn't have to worry so much about what others aren't doing.
"I could wind up with bad credit when I’m on a good roll."
Commentary:
I provided a lot of my commentary above. There is no excuse that I can think of for such poor information security practice and management. Can the people running these companies (such as SunGard) and those responsible for information security claim they didn't know any better? Does it not go against SunGard Higher Education (or school) policy to store confidential information on a laptop while relying solely on operating system level passwords?
Nuts.
Past Breaches:
Unknown
Posted by Evan Francen at 4/21/2008 2:38 PM 
Categories: Western Connecticut State University, Central Connecticut State University, Buffalo State College, Eastern Connecticut State University, State University College at Brockport, Northwestern Michigan College, Southern Connecticut State University, SunGard Higher Education, Monroe Community College, Northwest Missouri State University
Categories: Western Connecticut State University, Central Connecticut State University, Buffalo State College, Eastern Connecticut State University, State University College at Brockport, Northwestern Michigan College, Southern Connecticut State University, SunGard Higher Education, Monroe Community College, Northwest Missouri State University
Posts Atom 1.0
This was not Sungard's first stolen laptop. They reported another theft last March; see http://doj.nh.gov/consumer/pdf/sungard.pdf
Read their notification letter on that one, with special attention to their description of the security on that laptop. Do not have fluids in your mouth while reading it.
Of course, they may have implemented a different system by now, but I note that we have not been told whether the laptop was stolen from the employee's vehicle, home, or elsewhere, unless I missed something.
Reply to this
OK. I finished my (1st) cup of coffee. No fluids in mouth.
Let's read this puppy! Thanks!
Reply to this
Now aren't you glad you put the coffee down first? :)
From what I can deduce, neither the employee's car nor the laptop had a neon sticker that said "PII inside" and they considered that "Significant."
BTW, when you scroll all the way down, you note that the ID theft insurance coverage they offered cannot be offered to residents of NYS. I wonder what they'll do this time.
Reply to this
Yes, I am glad I put the coffee down! I forgot to spit out my gum though, and ended up swallowing it!
Is common sense not so common anymore?
I think some of the people running these organizations, some of the people running these information security programs, and some of these people responding to these incidents are supposed to be those 2-3% of the populace that we were taught were "unemployable" in those college economics classes. It really torques me man!
Reply to this
There are more updates to this story in terms of number of colleges affected, and we haven't heard of all of them yet. For those who want to keep up with this one, feel free to use our Search tool to get to links.
Sungard's spokesperson also revealed some more about the breach in email to us. Apparently the employee was on a customer's site when the laptop was stolen -- and importantly -- the employee was reportedly not following Sungard's policies.
I almost feel sorry for them now, even though they are responsible for what their employee does.
Reply to this