CollegeInvest external hard drive goes missing
Technorati Tag: Security Breach
Date Reported:
4/25/08
Organization:
State of Colorado
Contractor/Consultant/Branch:
Department of Higher Education
CollegeInvest*
*"As a nonprofit division of the Department of Higher Education, CollegeInvest helps students and families finance college through student savings accounts, loans and scholarships."
Victims:
Customers**
**CollegeInvest Education Loan Borrowers January 2002 - August 2007:
Number Affected:
~200,000
Types of Data:
Loan, savings account and scholarship information, including names, addresses and Social Security numbers
Breach Description:
"CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found."
Reference URL:
CollegeInvest Data Privacy Information Frequently Asked Questions
The Gazette (Colorado Springs)
Colorado Fox News
The Denver Post
Report Credit:
CollegeInvest
Response:
From the online sources cited above:
CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found.
[Evan] Is this an attempt to push some of the blame onto Graebel?
About 200,000 CollegeInvest clients - including its entire list of student-loan recipients - had personal information stored on a computer hard drive that the agency said is missing.
[Evan] Really? This was an external hard drive being used as a backup device. Not necessarily a recommended practice (without encryption and good key management).
Roughly 23 percent of its client base was affected
CollegeInvest sent out letters this week to clients informing them that their names, addresses and Social Security numbers may be at risk.
"We feel pretty confident the data itself will not be accessed," spokeswoman Jennifer Robinson said
[Evan] Why is that?
She said it is encoded and password protected.
[Evan] Encoded? How? The Denver post claims that Jennifer Robinson states that the hard drive was encrypted. None of the other sources (including CollegeInvest) are clear on this issue. Clarity in an incident response is very important.
CollegeInvest believes it is unlikely that any of the personal information has been compromised because the data is in a format that would be very difficult to access. Recovery of the data would require significant technical expertise and specialized software tools.
[Evan] We have read statements like this before. Who is to judge?
The company has not received any calls from clients saying their identities have been stolen
The lost data were stored on an external hard drive used to back up files.
CollegeInvest discovered the drive was missing after it moved into its new Denver offices.
The Colorado Bureau of Investigation has been asked to determine if the drive was stolen or lost.
CollegeInvest has recommended its customers monitor bank statements and credit reports. It will also pay for one year of free credit monitoring for those affected.
We know that consumers are very focused on maintaining the confidentiality of their personal data and we want to assure them that we take this responsibility very seriously. CollegeInvest deeply regrets any inconvenience to customers that this may cause and wants to ensure that our customers get all their questions answered and their concerns addressed.
Commentary:
It's difficult to comment much on this breach due to the lack of clarity in the response. Lack of clarity in the response is a problem by itself.
How much could credit monitoring cost (hypothetically)? List price for Triple Alert costs $10.45 for a one-year subscription; FamilySecure costs $29.95 for one year. 200,000 victims x $10.45 = $2,090,000. 200,000 victims x $29.95 = $5,990,000. So a simple lost or stolen hard drive has the potential to cost $2 - 6 million in credit monitoring costs only. No cost to the victims right? Well, not unless you happen to be a taxpayer. Somebody always pays the price.
We all know that a significant number of victims will not sign up for credit monitoring. We also know that CollegeInvest will not be charged full list price for the service. Nevertheless, the costs no matter what they are are significant.
Past Breaches:
Unknown
Date Reported:4/25/08
Organization:
State of Colorado
Contractor/Consultant/Branch:
Department of Higher Education
CollegeInvest*
*"As a nonprofit division of the Department of Higher Education, CollegeInvest helps students and families finance college through student savings accounts, loans and scholarships."
Victims:
Customers**
**CollegeInvest Education Loan Borrowers January 2002 - August 2007:
- Student Loan Borrower
- Parent Loan Borrower
- Consolidation Loan Borrower
- Direct Portfolio College Savings - Account Owner, Beneficiary
- Stable Value Plus College Savings - Account Owner, Beneficiary & Account Successor
- Prepaid Tuition Fund - Account Owner, Beneficiary & Account Successor
- Early Achievers Scholarship Program - All Participants
- College In Colorado Scholarship Program - All Participants
- College Opportunity Fund (COF) Participants - Paper Applications Mailed In Only
Number Affected:
~200,000
Types of Data:
Loan, savings account and scholarship information, including names, addresses and Social Security numbers
Breach Description:
"CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found."
Reference URL:
CollegeInvest Data Privacy Information Frequently Asked Questions
The Gazette (Colorado Springs)
Colorado Fox News
The Denver Post
Report Credit:
CollegeInvest
Response:
From the online sources cited above:
CollegeInvest moved to a new office space the weekend of March 28th using the international moving firm Graebel. Although Graebel specializes in office relocations and has specialists in moving computer equipment, CollegeInvest discovered while unpacking at the new location that a hard drive with the personal data of some customers was missing. Despite an extensive internal investigation, the hard drive has not been found.
[Evan] Is this an attempt to push some of the blame onto Graebel?
About 200,000 CollegeInvest clients - including its entire list of student-loan recipients - had personal information stored on a computer hard drive that the agency said is missing.
[Evan] Really? This was an external hard drive being used as a backup device. Not necessarily a recommended practice (without encryption and good key management).
Roughly 23 percent of its client base was affected
CollegeInvest sent out letters this week to clients informing them that their names, addresses and Social Security numbers may be at risk.
"We feel pretty confident the data itself will not be accessed," spokeswoman Jennifer Robinson said
[Evan] Why is that?
She said it is encoded and password protected.
[Evan] Encoded? How? The Denver post claims that Jennifer Robinson states that the hard drive was encrypted. None of the other sources (including CollegeInvest) are clear on this issue. Clarity in an incident response is very important.
CollegeInvest believes it is unlikely that any of the personal information has been compromised because the data is in a format that would be very difficult to access. Recovery of the data would require significant technical expertise and specialized software tools.
[Evan] We have read statements like this before. Who is to judge?
The company has not received any calls from clients saying their identities have been stolen
The lost data were stored on an external hard drive used to back up files.
CollegeInvest discovered the drive was missing after it moved into its new Denver offices.
The Colorado Bureau of Investigation has been asked to determine if the drive was stolen or lost.
CollegeInvest has recommended its customers monitor bank statements and credit reports. It will also pay for one year of free credit monitoring for those affected.
We know that consumers are very focused on maintaining the confidentiality of their personal data and we want to assure them that we take this responsibility very seriously. CollegeInvest deeply regrets any inconvenience to customers that this may cause and wants to ensure that our customers get all their questions answered and their concerns addressed.
Commentary:
It's difficult to comment much on this breach due to the lack of clarity in the response. Lack of clarity in the response is a problem by itself.
How much could credit monitoring cost (hypothetically)? List price for Triple Alert costs $10.45 for a one-year subscription; FamilySecure costs $29.95 for one year. 200,000 victims x $10.45 = $2,090,000. 200,000 victims x $29.95 = $5,990,000. So a simple lost or stolen hard drive has the potential to cost $2 - 6 million in credit monitoring costs only. No cost to the victims right? Well, not unless you happen to be a taxpayer. Somebody always pays the price.
We all know that a significant number of victims will not sign up for credit monitoring. We also know that CollegeInvest will not be charged full list price for the service. Nevertheless, the costs no matter what they are are significant.
Past Breaches:
Unknown
Posted by Evan Francen at 4/30/2008 2:04 PM 
Categories: CollegeInvest, State of Colorado, Lost Device
Categories: CollegeInvest, State of Colorado, Lost Device
Posts Atom 1.0
Comments