University of South Carolina Moore School of Business breach
Technorati Tag: Security Breach
Date Reported:
6/9/08
Organization:
University of South Carolina
Contractor/Consultant/Branch:
Moore School of Business
Victims:
"faculty, staff and students"
Number Affected:
~7,000
Types of Data:
"some personally identifiable data"
Breach Description:
"The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school."
Reference URL:
The State
Report Credit:
The State
Response:
From the online source cited above:
The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school.
Monday evening, May 26th, 2008 computer hardware containing data files was stolen from the Dean’s Office
"Among the items was a desktop computer belonging to Deputy Dean Dr. Scott Koerwer,"
[Evan] I am semi-sure that a business case could be made to allow Dr. Scott access to confidential information, but there should be NO business case allowing for the storage of this information on the desktop computer he uses. I also doubt that he needs access to Social Security numbers.
"As a result of the computer being stolen, we feel it is possible that some personally identifiable data could have been compromised."
There is a possibility that some personal information such as social security numbers, annual pay, and term of service at the University may have been compromised.
As soon as the unauthorized access was discovered (May 27, 2008), USC initiated its incident handling procedures, which includes notification of affected individuals.
[Evan] I am glad to read that USC has incident handling procedures. Many organizations do not.
university officials have no evidence anyone's personal information was accessed
[Evan] It's probably too soon for evidence.
"We feel the responsible thing for us to do is to notify those persons whose data was contained in the computer, and advise them of the fact, and share with them some useful steps they may want to take for additional protection,"
the university is notifying about 130 faculty and staff at the Moore School, and just under 7,000 students who took business courses in the last academic year
the university’s Division of Law Enforcement and Safety and Office of Information Technology are investigating the matter
The Moore School of Business has taken precautions to minimize future security risks.
[Evan] Like what? Anybody can make a statement like this. People should be provided with some details. Details that don't give away too much, but enough to instill confidence. This statement means little to me.
Deputy Dean Koerwer circulated a letter to students dated June 6 that suggested some steps they might take to protect themselves from identity theft.
Guidance regarding the burglary, including answers to frequently asked questions that we anticipate on identity protection, identity theft, and precautionary measures is available at the University’s website: www.sc.edu/identity/index.shtml
We deeply regret any inconvenience or concern that this incident may cause. We assure you that the University, along with the Dean’s Office, is working diligently to prevent this type of incident from recurring.
Please know that the university faculty and staff are committed to protecting all personal information.
Commentary:
This is a physical, administrative and potentially logical information security breach. There is no information provided about what physical controls were present to prevent an intruder from stealing the desktop computer, so it is difficult to comment. There is little information provided around the administrative controls in place, but we can imply some things. Due to the fact that the school did not state that the storage of confidential information on client computers is prohibited, maybe we can assume that it is permitted. There was no mention of encryption, so I question whether or not this is a logical control that may have been lacking.
Information security is a holistic discipline and the controls I mention above are a very, very small part of the big picture.
Past Breaches:
September, 2007 - University of South Carolina Mistake Leads to Breach of 3,199 Records
Date Reported:6/9/08
Organization:
University of South Carolina
Contractor/Consultant/Branch:
Moore School of Business
Victims:
"faculty, staff and students"
Number Affected:
~7,000
Types of Data:
"some personally identifiable data"
Breach Description:
"The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school."
Reference URL:
The State
Report Credit:
The State
Response:
From the online source cited above:
The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school.
Monday evening, May 26th, 2008 computer hardware containing data files was stolen from the Dean’s Office
"Among the items was a desktop computer belonging to Deputy Dean Dr. Scott Koerwer,"
[Evan] I am semi-sure that a business case could be made to allow Dr. Scott access to confidential information, but there should be NO business case allowing for the storage of this information on the desktop computer he uses. I also doubt that he needs access to Social Security numbers.
"As a result of the computer being stolen, we feel it is possible that some personally identifiable data could have been compromised."
There is a possibility that some personal information such as social security numbers, annual pay, and term of service at the University may have been compromised.
As soon as the unauthorized access was discovered (May 27, 2008), USC initiated its incident handling procedures, which includes notification of affected individuals.
[Evan] I am glad to read that USC has incident handling procedures. Many organizations do not.
university officials have no evidence anyone's personal information was accessed
[Evan] It's probably too soon for evidence.
"We feel the responsible thing for us to do is to notify those persons whose data was contained in the computer, and advise them of the fact, and share with them some useful steps they may want to take for additional protection,"
the university is notifying about 130 faculty and staff at the Moore School, and just under 7,000 students who took business courses in the last academic year
the university’s Division of Law Enforcement and Safety and Office of Information Technology are investigating the matter
The Moore School of Business has taken precautions to minimize future security risks.
[Evan] Like what? Anybody can make a statement like this. People should be provided with some details. Details that don't give away too much, but enough to instill confidence. This statement means little to me.
Deputy Dean Koerwer circulated a letter to students dated June 6 that suggested some steps they might take to protect themselves from identity theft.
Guidance regarding the burglary, including answers to frequently asked questions that we anticipate on identity protection, identity theft, and precautionary measures is available at the University’s website: www.sc.edu/identity/index.shtml
We deeply regret any inconvenience or concern that this incident may cause. We assure you that the University, along with the Dean’s Office, is working diligently to prevent this type of incident from recurring.
Please know that the university faculty and staff are committed to protecting all personal information.
Commentary:
This is a physical, administrative and potentially logical information security breach. There is no information provided about what physical controls were present to prevent an intruder from stealing the desktop computer, so it is difficult to comment. There is little information provided around the administrative controls in place, but we can imply some things. Due to the fact that the school did not state that the storage of confidential information on client computers is prohibited, maybe we can assume that it is permitted. There was no mention of encryption, so I question whether or not this is a logical control that may have been lacking.
Information security is a holistic discipline and the controls I mention above are a very, very small part of the big picture.
Past Breaches:
September, 2007 - University of South Carolina Mistake Leads to Breach of 3,199 Records
Posted by Evan Francen at 6/9/2008 1:32 PM 
Categories: University of South Carolina, Stolen Computer
Categories: University of South Carolina, Stolen Computer
Posts Atom 1.0
Comments