Indiana State University professor's laptop is stolen
Technorati Tag: Security Breach
Date Reported:
7/15/08
Organization:
Indiana State University
Contractor/Consultant/Branch:
None
Victims:
"students who took economics classes from 1997 through the spring semester 2008"
Number Affected:
"more than 2,500"
Types of Data:
"names, grades, e-mail addresses and student identification numbers"*
*Until 2003, student identification numbers were the equivalent of each student’s Social Security number.
Breach Description:
"A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday."
Reference URL:
Indiana State University
Associated Press via WTHI Channel 10 News
Associated Press via Chicago Tribune
Report Credit:
Indiana State University
Response:
From the online sources cited above:
A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday.
[Evan] What do you suppose the purpose of the "password-protected" mention is? I hope it is not meant to reassure anyone that the information is safe. For those of you that do not know, password-protection is easily bypassed and in the opinion of many information security professionals (this one included), does NOT provide adequate protection for confidential information.
While there is no evidence to suggest that password security was breached, the university is taking the precaution of notifying all affected students for whom it has current contact information.
[Evan] If someone were to breach the "password security", what evidence would the school see? None. There would be no evidence (except locally on the laptop) if the local password store had been compromised. The school no longer has possession of the laptop, so the school would have no evidence.
The laptop contained data for students who took economics classes from 1997 through the spring semester 2008, estimated at more than 2,500 individuals.
If you took an economics class during this time period, but did not receive a letter, please call the Registrar’s Office to verify that you were on the list, and to update your address so that we may send you a letter.
[Evan] Contact information for the Registrar's Office, click here.
The information includes names, grades, e-mail addresses and student identification numbers.
Beginning in 2003, use of social security numbers as student ID numbers was discontinued in favor of university-specific identification numbers.
[Evan] A sound security decision by the university would have been to follow up with a project to identify and remove Social Security numbers already held as student IDs. Maybe it was, but the information on this laptop was missed.
The theft occurred Saturday while the professor was traveling in southern Indiana
the professor was traveling with his family and briefly left the computer unattended
[Evan] A laptop can grow legs in a flash. A person doesn't need to leave a laptop unattended for very long for it to disappear.
The incident occurred on July 12, 2008 and was reported to university officials on July 14, 2008.
The incident was reported immediately to the appropriate law enforcement agency and early Monday to university officials.
The extent of the information contained on the computer was not determined until Monday night.
Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers.
[Evan] Excellent policy provision. Policy does little if it is not communicated, enforced, audited against, and improved. Where was the failure in the breach? Was the policy not communicated to this professor, and thus he/she was not aware?
In addition, laptops provided to faculty are equipped with several security measures including encryption and a bio-metric fingerprint reader to prevent access by anyone other than the assigned user.
[Evan] An excellent standard (or procedure).
Approximately 500 ISU faculty members have laptop computers.
The university is reviewing its procedures to ensure compliance with existing policies, said Interim President C. Jack Maynard, the university’s provost and vice president for academic affairs
From the FAQs:
Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit.
[Evan] A SSN needs to be held in strict confidentiality in today's financial, employment, health, and other systems. It is often used for identification and authentication. Once an identity thief has a SSN, the owner of that SSN is now a prime target because the thief has the most confidential piece of information (ingredient) in the identity theft recipe. The rest of the information is typically easier to come by, i.e. name, address, employer, etc. It is true that an SSN alone is not enough information to commit identity theft, but it is an EXCELLENT start.
Commentary:
We can assume that the school knows the risks involved in storing confidential information on a poorly protected laptop. Otherwise, they probably wouldn't have policy and procedure against it. The school's statements that are meant to minimize the risk, seemingly without fact, are disappointing.
Past Breaches:
Unknown
Date Reported:7/15/08
Organization:
Indiana State University
Contractor/Consultant/Branch:
None
Victims:
"students who took economics classes from 1997 through the spring semester 2008"
Number Affected:
"more than 2,500"
Types of Data:
"names, grades, e-mail addresses and student identification numbers"*
*Until 2003, student identification numbers were the equivalent of each student’s Social Security number.
Breach Description:
"A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday."
Reference URL:
Indiana State University
Associated Press via WTHI Channel 10 News
Associated Press via Chicago Tribune
Report Credit:
Indiana State University
Response:
From the online sources cited above:
A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday.
[Evan] What do you suppose the purpose of the "password-protected" mention is? I hope it is not meant to reassure anyone that the information is safe. For those of you that do not know, password-protection is easily bypassed and in the opinion of many information security professionals (this one included), does NOT provide adequate protection for confidential information.
While there is no evidence to suggest that password security was breached, the university is taking the precaution of notifying all affected students for whom it has current contact information.
[Evan] If someone were to breach the "password security", what evidence would the school see? None. There would be no evidence (except locally on the laptop) if the local password store had been compromised. The school no longer has possession of the laptop, so the school would have no evidence.
The laptop contained data for students who took economics classes from 1997 through the spring semester 2008, estimated at more than 2,500 individuals.
If you took an economics class during this time period, but did not receive a letter, please call the Registrar’s Office to verify that you were on the list, and to update your address so that we may send you a letter.
[Evan] Contact information for the Registrar's Office, click here.
The information includes names, grades, e-mail addresses and student identification numbers.
Beginning in 2003, use of social security numbers as student ID numbers was discontinued in favor of university-specific identification numbers.
[Evan] A sound security decision by the university would have been to follow up with a project to identify and remove Social Security numbers already held as student IDs. Maybe it was, but the information on this laptop was missed.
The theft occurred Saturday while the professor was traveling in southern Indiana
the professor was traveling with his family and briefly left the computer unattended
[Evan] A laptop can grow legs in a flash. A person doesn't need to leave a laptop unattended for very long for it to disappear.
The incident occurred on July 12, 2008 and was reported to university officials on July 14, 2008.
The incident was reported immediately to the appropriate law enforcement agency and early Monday to university officials.
The extent of the information contained on the computer was not determined until Monday night.
Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers.
[Evan] Excellent policy provision. Policy does little if it is not communicated, enforced, audited against, and improved. Where was the failure in the breach? Was the policy not communicated to this professor, and thus he/she was not aware?
In addition, laptops provided to faculty are equipped with several security measures including encryption and a bio-metric fingerprint reader to prevent access by anyone other than the assigned user.
[Evan] An excellent standard (or procedure).
Approximately 500 ISU faculty members have laptop computers.
The university is reviewing its procedures to ensure compliance with existing policies, said Interim President C. Jack Maynard, the university’s provost and vice president for academic affairs
From the FAQs:
Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit.
[Evan] A SSN needs to be held in strict confidentiality in today's financial, employment, health, and other systems. It is often used for identification and authentication. Once an identity thief has a SSN, the owner of that SSN is now a prime target because the thief has the most confidential piece of information (ingredient) in the identity theft recipe. The rest of the information is typically easier to come by, i.e. name, address, employer, etc. It is true that an SSN alone is not enough information to commit identity theft, but it is an EXCELLENT start.
Commentary:
We can assume that the school knows the risks involved in storing confidential information on a poorly protected laptop. Otherwise, they probably wouldn't have policy and procedure against it. The school's statements that are meant to minimize the risk, seemingly without fact, are disappointing.
Past Breaches:
Unknown
Posts Atom 1.0
Comments