NHTI loses thumb drive that may have contained student information
Technorati Tag: Security Breach
Date Reported:
5/30/08
Organization:
NHTI, Concord's Community College
Contractor/Consultant/Branch:
None
Victims:
Nursing program graduates form the classes of 2006 and 2007
Number Affected:
128
Types of Data:
"names, social security numbers, addresses, phone numbers, and email addresses"
Breach Description:
NHTI has notified the New Hampshire State Attorney General of a lost flash drive that may have contained sensitive personal information belonging to nursing program 2006 and 2007 graduates.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to notify you that NHTI, Concord's Community College recently learned of a data security incident involving personal information of individuals who have graduated from the College.
On April 23, 2008, it was discovered that a data storage device, or flash drive, was missing.
[Evan] Are unsecured flash drives allowed for use with NHTI information resources? There is no mention in the breach notification.
The flash drive may have contained the names, social security numbers, addresses, phone numbers, and email addresses of our nursing program graduates from the classes of 2006 and 2007.
Our Campus Safety Department conducted a thorough investigation to locate the flash drive.
The investigation concluded that we cannot determine whether a security breach has occurred.
[Evan] What is the school's definition of a security breach? Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? If not a breach, then poor information management at the least.
The potential security breach involved personal identification information of 128 former students.
While we do not believe the flash drive was taken for purposes of identity theft, we have recommended that the affected individuals take steps to protect themselves from the possible misuse of personal information.
[Evan] Really, at the end of the day I don't think it matters how many steps people take to protect themselves if the custodians of confidential information do not take proper care of the information entrusted to them. Everyone needs to play their role. Owner, custodians and users.
There is no indication that the disappearance of the device, a USB flash drive, was motivated by identity theft.
We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.
[Evan] "Low" is subjective and hard to measure. This reminds me of some informal research we conducted a while back. We were curious. We found a left-over box of unused flash drives that a marketing department had been giving away (s.w.a.g.) at a trade show. We wanted to find out #1, how many people pick-up a flash drive if they find one lying around, and #2, how many people plug them in and peruse the contents/use them. We had 40 flash drives. 29% of people picked them up (meaning it took 137 people walking by to nab 40 flash drives). We tried to vary the locations of the flash drives both out in the open and semi-private. Of the 40 people that picked up the flash drives, all 40 used them. I suppose that this particular flash drive could have ended up in the garbage or destroyed somehow, but if someone found it, I think chances are pretty good that someone will find the information. The difficult part is trying to determine what someone will do with the information once they have it, I suppose.
However, out of an abundance of caution, we are informing everyone who may be affected by this incident so that they may properly evaluate what actions -if any -they wish to take in this matter.
[Evan] The "abundance of caution" phrase is quickly becoming my pet peeve. An abundance of caution would have gone a long way towards preventing the breach. Storing confidential information on an insecure flash drive certainly does not demonstrate an abundance of caution.
We have obtained the services of a credit monitoring organization to provide free credit monitoring for one year to the affected individuals.
NHTI takes the protection of confidential information very seriously.
We sincerely regret that this incident occurred and are taking steps to prevent this type of breach from occurring again.
The College has instituted safeguards to prevent such incidents in the future.
[Evan] Like?
If you have any questions or concerns, please contact NHTI's Director of Communications, Alan Blake, at .
Commentary:
Most of my commentary is included above. Flash drives are very convenient, but sometimes the thought of them sends a slight shiver down my spine. If their use cannot be properly controlled, their use can be disastrous. So, if you can't control their use, then prohibit their use. I know of quite a few companies that have banned flash drives and disabled USB and FireWire ports.
I was a little tardy in finding this breach. I thought is was still good information for readers though.
Past Breaches:
Unknown
Date Reported:5/30/08
Organization:
NHTI, Concord's Community College
Contractor/Consultant/Branch:
None
Victims:
Nursing program graduates form the classes of 2006 and 2007
Number Affected:
128
Types of Data:
"names, social security numbers, addresses, phone numbers, and email addresses"
Breach Description:
NHTI has notified the New Hampshire State Attorney General of a lost flash drive that may have contained sensitive personal information belonging to nursing program 2006 and 2007 graduates.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to notify you that NHTI, Concord's Community College recently learned of a data security incident involving personal information of individuals who have graduated from the College.
On April 23, 2008, it was discovered that a data storage device, or flash drive, was missing.
[Evan] Are unsecured flash drives allowed for use with NHTI information resources? There is no mention in the breach notification.
The flash drive may have contained the names, social security numbers, addresses, phone numbers, and email addresses of our nursing program graduates from the classes of 2006 and 2007.
Our Campus Safety Department conducted a thorough investigation to locate the flash drive.
The investigation concluded that we cannot determine whether a security breach has occurred.
[Evan] What is the school's definition of a security breach? Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? If not a breach, then poor information management at the least.
The potential security breach involved personal identification information of 128 former students.
While we do not believe the flash drive was taken for purposes of identity theft, we have recommended that the affected individuals take steps to protect themselves from the possible misuse of personal information.
[Evan] Really, at the end of the day I don't think it matters how many steps people take to protect themselves if the custodians of confidential information do not take proper care of the information entrusted to them. Everyone needs to play their role. Owner, custodians and users.
There is no indication that the disappearance of the device, a USB flash drive, was motivated by identity theft.
We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.
[Evan] "Low" is subjective and hard to measure. This reminds me of some informal research we conducted a while back. We were curious. We found a left-over box of unused flash drives that a marketing department had been giving away (s.w.a.g.) at a trade show. We wanted to find out #1, how many people pick-up a flash drive if they find one lying around, and #2, how many people plug them in and peruse the contents/use them. We had 40 flash drives. 29% of people picked them up (meaning it took 137 people walking by to nab 40 flash drives). We tried to vary the locations of the flash drives both out in the open and semi-private. Of the 40 people that picked up the flash drives, all 40 used them. I suppose that this particular flash drive could have ended up in the garbage or destroyed somehow, but if someone found it, I think chances are pretty good that someone will find the information. The difficult part is trying to determine what someone will do with the information once they have it, I suppose.
However, out of an abundance of caution, we are informing everyone who may be affected by this incident so that they may properly evaluate what actions -if any -they wish to take in this matter.
[Evan] The "abundance of caution" phrase is quickly becoming my pet peeve. An abundance of caution would have gone a long way towards preventing the breach. Storing confidential information on an insecure flash drive certainly does not demonstrate an abundance of caution.
We have obtained the services of a credit monitoring organization to provide free credit monitoring for one year to the affected individuals.
NHTI takes the protection of confidential information very seriously.
We sincerely regret that this incident occurred and are taking steps to prevent this type of breach from occurring again.
The College has instituted safeguards to prevent such incidents in the future.
[Evan] Like?
If you have any questions or concerns, please contact NHTI's Director of Communications, Alan Blake, at .
Commentary:
Most of my commentary is included above. Flash drives are very convenient, but sometimes the thought of them sends a slight shiver down my spine. If their use cannot be properly controlled, their use can be disastrous. So, if you can't control their use, then prohibit their use. I know of quite a few companies that have banned flash drives and disabled USB and FireWire ports.
I was a little tardy in finding this breach. I thought is was still good information for readers though.
Past Breaches:
Unknown
Posted by Evan Francen at 6/24/2008 2:45 PM 
Categories: Lost Device, NHTI, Concord's Community College
Categories: Lost Device, NHTI, Concord's Community College
Posts Atom 1.0
Evan writes: "Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? "
In a nutshell, that's precisely what happened. They could neither confirm nor disconfirm whether the folder was on the missing flash drive. I spoke with their Director of Communications yesterday and included his comments in my report on the breach here.
I did suggest to him that at the very least, they consider installing TrueCrypt on all flash drives. That way, if someone screws up again and doesn't follow policy, at least the drive would be encrypted if it was lost. I think they may actually follow up on that idea.
Reply to this
How do you have time to follow-up with NHTI?!
Good work! Installing TrueCrypt on all flash drives will help to address this one particular risk. It would also behoove NHTI to take the time to address the greater issue of risk management and information security governance in general. No small task, but if done correctly it would be a rewarding one. Do they have a CISO/ISO/CSO or equivalent?
I actually used the word "behoove".
Reply to this
How do I have the time? I don't. :) But some reports don't quite feel right or make sense to me, so if I can, I make a call to get additional info. I'm holding off on publishing the Quixtar breach reported to the NH DOJ until they get back to me to clarify what are some inconsistencies, shall we say, in their notification letters?
I also have a note to self to follow up on Ebara that I reported this morning -- another part of the Colt/CNet incident.
Too many breaches, too little time....
Reply to this
Oh yes! I hear you loud and clear.
I am just writing the first Colt/CNET commentary. This breach is reminiscent of the ASI breach in February.
I am leaving for Disney World this afternoon. I am going to make some time! I'm not sure how I am going to update the blog yet, but this is secondary to family time.
Reply to this
Yes, I agree Colt is reminiscent in some respects... smash and grab, unencrypted data from clients at rest on stolen hardware...
Enjoy Disney! The breaches will all be waiting for you when you come back. ;o)
Reply to this