Stolen laptop affects thousands of current and former Stanford employees
Technorati Tag: Security Breach
Date Reported:
6/6/08
Organization:
Stanford University
Contractor/Consultant/Branch:
None
Victims:
current and former employees hired before September 28, 2007
Number Affected:
as many as 72,000
Types of Data:
Some or all of the following; First and last name, gender, birthdate, Social Security Number, Business title and office location, Work and home phone numbers, Home address, Salary, Stanford email address, Stanford ID card number and Stanford employee number
Breach Description:
"Stanford University determined yesterday that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way."
Reference URL:
Stanford News Service
San Francisco Chronicle
KPIX Channel 5 News
Report Credit:
Stanford News Service
Response:
From the online sources cited above:
STANFORD (BCN) ? The personal information of as many as 72,000 people working for, or formerly employed by, Stanford University could be at risk after officials determined a recently stolen laptop contained confidential personnel data.
[Evan] Even a prestigious school like Stanford University is not immune. 72,000 confidential personal records on a laptop that appears to have not been encrypted is not representative of good information security practice.
The computer contained personal records of Stanford employees hired before Sept. 28, 2007
data on the laptop included some or all of the following: employees' names, birth dates, Social Security numbers, business titles, work and home phone numbers, home addresses, salaries, and Stanford e-mail addresses and employee identification numbers.
While the university does not believe the thief was aware of the records' existence on the machine, it is taking steps to assist anyone whose information might be misused.
[Evan] How many times have we read this in a breach notification? It is almost like a breach notification isn't a breach notification without it.
"We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them,"
"Often, such thefts are property crimes in which the laptop's hard drive is erased before the laptop is resold."
[Evan] Robert Richardson, director of the San Francisco-based Computer Security Institute responds "In the past, if a laptop was stolen from a cafe, it was reasonable to think it would be reformatted and sold as a new machine," "Now I wouldn't make that assumption. Even the dumbest criminals out there are on to the fact that the data is where the money is." I have stated this numerous times on The Breach Blog. Now you don't have to take my word for it. Check out the CSI blog.
While there is no evidence that any of the information on the stolen laptop has been accessed, the University is committed to taking steps to assist individuals whose personal data may be misused
The university is not disclosing the details of the crime, as an investigation is still under way.
This matter has been reported to law enforcement.
Stanford sent out an e-mail message Friday to all the current and former employees it could reach, advising them of the theft.
The university is sending e-mails and letters to current and former employees whose personal information may be at risk, as well as posting information on the Stanford homepage at: www.stanford.edu, and notifying the media.
The university said it will provide additional credit monitoring to help employees respond to the possible data breach and protect their identities from fraud.
"We will have services in place next week and Stanford is committed to assuming this cost,"
It is also looking at how to protect employee data better in the future.
[Evan] I hope that mobile device encryption is in the mix.
While the university has rigorous policies and guidelines designed to protect confidential information, events such as this demonstrate the need for heightened vigilance in this area.
[Evan] Information security always requires a "heightened vigilance". It is a continuous effort.
Vice President for Business Affairs and Chief Financial Officer Randy Livingston will lead a task force to review policies and practices regarding the safety and security of sensitive data.
Livingston said: "The university has guidelines that prohibit keeping sensitive information on unsecured computers. This effort will be redoubled after this incident."
We sincerely apologize for this incident.
You can call and leave your contact information for a return call. You can also go to the Stanford home page for updates or email with your full name and date of birth.
Commentary:
If an organization employs laptops and other mobile devices, it is only a matter of time that one (or more) will be lost or stolen. It is a fact of life, and it really doesn't matter how aware the users are. We either need to make sure that confidential information does not get stored on mobile devices, encrypt them (with secure key management) or preferably both. This is a simplistic view, but you get the point.
Breaches like this get old, but they still tick me off.
Past Breaches:
Unknown
Date Reported:6/6/08
Organization:
Stanford University
Contractor/Consultant/Branch:
None
Victims:
current and former employees hired before September 28, 2007
Number Affected:
as many as 72,000
Types of Data:
Some or all of the following; First and last name, gender, birthdate, Social Security Number, Business title and office location, Work and home phone numbers, Home address, Salary, Stanford email address, Stanford ID card number and Stanford employee number
Breach Description:
"Stanford University determined yesterday that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way."
Reference URL:
Stanford News Service
San Francisco Chronicle
KPIX Channel 5 News
Report Credit:
Stanford News Service
Response:
From the online sources cited above:
STANFORD (BCN) ? The personal information of as many as 72,000 people working for, or formerly employed by, Stanford University could be at risk after officials determined a recently stolen laptop contained confidential personnel data.
[Evan] Even a prestigious school like Stanford University is not immune. 72,000 confidential personal records on a laptop that appears to have not been encrypted is not representative of good information security practice.
The computer contained personal records of Stanford employees hired before Sept. 28, 2007
data on the laptop included some or all of the following: employees' names, birth dates, Social Security numbers, business titles, work and home phone numbers, home addresses, salaries, and Stanford e-mail addresses and employee identification numbers.
While the university does not believe the thief was aware of the records' existence on the machine, it is taking steps to assist anyone whose information might be misused.
[Evan] How many times have we read this in a breach notification? It is almost like a breach notification isn't a breach notification without it.
"We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them,"
"Often, such thefts are property crimes in which the laptop's hard drive is erased before the laptop is resold."
[Evan] Robert Richardson, director of the San Francisco-based Computer Security Institute responds "In the past, if a laptop was stolen from a cafe, it was reasonable to think it would be reformatted and sold as a new machine," "Now I wouldn't make that assumption. Even the dumbest criminals out there are on to the fact that the data is where the money is." I have stated this numerous times on The Breach Blog. Now you don't have to take my word for it. Check out the CSI blog.
While there is no evidence that any of the information on the stolen laptop has been accessed, the University is committed to taking steps to assist individuals whose personal data may be misused
The university is not disclosing the details of the crime, as an investigation is still under way.
This matter has been reported to law enforcement.
Stanford sent out an e-mail message Friday to all the current and former employees it could reach, advising them of the theft.
The university is sending e-mails and letters to current and former employees whose personal information may be at risk, as well as posting information on the Stanford homepage at: www.stanford.edu, and notifying the media.
The university said it will provide additional credit monitoring to help employees respond to the possible data breach and protect their identities from fraud.
"We will have services in place next week and Stanford is committed to assuming this cost,"
It is also looking at how to protect employee data better in the future.
[Evan] I hope that mobile device encryption is in the mix.
While the university has rigorous policies and guidelines designed to protect confidential information, events such as this demonstrate the need for heightened vigilance in this area.
[Evan] Information security always requires a "heightened vigilance". It is a continuous effort.
Vice President for Business Affairs and Chief Financial Officer Randy Livingston will lead a task force to review policies and practices regarding the safety and security of sensitive data.
Livingston said: "The university has guidelines that prohibit keeping sensitive information on unsecured computers. This effort will be redoubled after this incident."
We sincerely apologize for this incident.
You can call and leave your contact information for a return call. You can also go to the Stanford home page for updates or email with your full name and date of birth.
Commentary:
If an organization employs laptops and other mobile devices, it is only a matter of time that one (or more) will be lost or stolen. It is a fact of life, and it really doesn't matter how aware the users are. We either need to make sure that confidential information does not get stored on mobile devices, encrypt them (with secure key management) or preferably both. This is a simplistic view, but you get the point.
Breaches like this get old, but they still tick me off.
Past Breaches:
Unknown
Posts Atom 1.0
Comments