6,200 people notified of ETSU stolen computer
Technorati Tag: Security Breach
Date Reported:
6/7/08
Organization:
East Tennessee State University
Contractor/Consultant/Branch:
None
Victims:
"students, alumni and staff"
Number Affected:
6,200
Types of Data:
"personal information"
Breach Description:
"JOHNSON CITY, Tenn. - East Tennessee State University has sent a letter to 6,200 people whose identities could be compromised by the theft of a desktop computer."
Reference URL:
Knoxville News Sentinel
News Channel 11
Report Credit:
Knoxville News Sentinel
Response:
From the online sources cited above:
JOHNSON CITY, Tenn. - East Tennessee State University has sent a letter to 6,200 people whose identities could be compromised by the theft of a desktop computer.
[Evan] If an organization is going to allow confidential information to be stored on client computers, then the organization must properly control physical security or provide mitigating controls. Servers are typically stored in climate controlled and physically secured rooms employing enhanced controls such as security cards, biometrics, locked racks, CCTV, etc. If these controls are not present at the client computer, then mitigating controls need to be designed and implemented to counter physical theft. One of the best controls to counter physical theft is encryption. Of course it could be decided that allowing confidential information storage on a client computer poses an unacceptable risk, but this would require some risk management.
someone broke into a locked office and locked suite last month and stole a computer containing private information like social security numbers
there was no sign of forced entry, though the room was locked and a big screen tv was also stolen
[Evan] No forced entry causes me to think that someone did not "break into" the locked office.
the computer is password protected and files cannot be easily accessed
[Evan] Oops, this is not true. In most cases, these files ARE easily accessed.
there is a small possibility that the information could be compromised
[Evan] Based on my last comment, this one should be corrected.
Those who received the letter are asked to notify one of the three major credit bureaus and place a fraud alert on their files.
University Provost and Vice President for Academic Affairs Bert C. Bach said ETSU has set up a Web site with procedures for preventing or dealing with identity theft.
[Evan] I scoured the ETSU web site and couldn't find any information relating to this breach. I wonder if the Web site that Mr. Bach refers to is a secure site and not accessible from the public internet.
Bach said the missing computer was stolen from a secured area on May 17.
ETSU officials are investigating.
Commentary:
I couldn't find much information about this breach other than that which was provided in the two short news reports. When there is little detail, Evan speculates.
Past Breaches:
Unknown
Date Reported:6/7/08
Organization:
East Tennessee State University
Contractor/Consultant/Branch:
None
Victims:
"students, alumni and staff"
Number Affected:
6,200
Types of Data:
"personal information"
Breach Description:
"JOHNSON CITY, Tenn. - East Tennessee State University has sent a letter to 6,200 people whose identities could be compromised by the theft of a desktop computer."
Reference URL:
Knoxville News Sentinel
News Channel 11
Report Credit:
Knoxville News Sentinel
Response:
From the online sources cited above:
JOHNSON CITY, Tenn. - East Tennessee State University has sent a letter to 6,200 people whose identities could be compromised by the theft of a desktop computer.
[Evan] If an organization is going to allow confidential information to be stored on client computers, then the organization must properly control physical security or provide mitigating controls. Servers are typically stored in climate controlled and physically secured rooms employing enhanced controls such as security cards, biometrics, locked racks, CCTV, etc. If these controls are not present at the client computer, then mitigating controls need to be designed and implemented to counter physical theft. One of the best controls to counter physical theft is encryption. Of course it could be decided that allowing confidential information storage on a client computer poses an unacceptable risk, but this would require some risk management.
someone broke into a locked office and locked suite last month and stole a computer containing private information like social security numbers
there was no sign of forced entry, though the room was locked and a big screen tv was also stolen
[Evan] No forced entry causes me to think that someone did not "break into" the locked office.
the computer is password protected and files cannot be easily accessed
[Evan] Oops, this is not true. In most cases, these files ARE easily accessed.
there is a small possibility that the information could be compromised
[Evan] Based on my last comment, this one should be corrected.
Those who received the letter are asked to notify one of the three major credit bureaus and place a fraud alert on their files.
University Provost and Vice President for Academic Affairs Bert C. Bach said ETSU has set up a Web site with procedures for preventing or dealing with identity theft.
[Evan] I scoured the ETSU web site and couldn't find any information relating to this breach. I wonder if the Web site that Mr. Bach refers to is a secure site and not accessible from the public internet.
Bach said the missing computer was stolen from a secured area on May 17.
ETSU officials are investigating.
Commentary:
I couldn't find much information about this breach other than that which was provided in the two short news reports. When there is little detail, Evan speculates.
Past Breaches:
Unknown
Posted by Evan Francen at 6/9/2008 2:41 PM 
Categories: Stolen Computer, East Tennessee State University
Categories: Stolen Computer, East Tennessee State University
Posts Atom 1.0
Comments