The risk of a laptop stolen from Hillsborough Community College
Technorati Tag: Security Breach
Date Reported:
7/24/08
Organization:
Hillsborough Community College
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
"roughly 2,000"
Types of Data:
"names, bank-routing numbers, retirement information and Social Security numbers"
Breach Description:
"TAMPA - Hillsborough Community College warned its roughly 2,000 employees on Wednesday to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia."
Reference URL:
The Tampa Tribune
Report Credit:
Valerie Kalfrin, The Tampa Tribune
Response:
From the online source cited above:
TAMPA - Hillsborough Community College warned its roughly 2,000 employees on Wednesday to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia.
The risk of employees' personal information being used is slim.
[Evan] Really? Let's keep the risk theme going throughout this posting.
The programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers
[Evan] How much risk is involved with a programmer working with real data? How much risk is involved with a programmer carrying real (and sensitive) data on an unencrypted laptop? I am beginning to question how much HCC formally knows about risk.
the programmer had deleted all files related to the project before the theft
The programmer also emptied the trash on the desktop, and the computer is password-protected
[Evan] Does password-protection reduce the amount of risk to an acceptable level if encryption (with pre-boot authentication) is not used?
College officials thought it prudent to warn employees anyway, given the possibility that someone with sophisticated computer experience could retrieve the deleted data.
[Evan] I would agree that the risk of exposure may be lower due to the fact that another step would need to be taken in order to retrieve the information. However, in my opinion it doesn't take someone with sophisticated computer experience. What can we assume about the thief’s motivation?
"You know how sophisticated hackers can be," Carl said (spokeswoman Ashley Carl)
[Evan] Huh. Yes, some "hackers" are extremely talented and sophisticated in their methods, but most of them ain't as sophisticated as we give them credit for.
The programmer had been moving her family to Florida from Michigan when the Dell laptop was stolen from her car in Henry County, Ga.
The college's information-technology employees work remotely and carry laptops at all times
[Evan] Without encryption? What do we say about HCC's understanding of risk?
There was no intentional negligence on this programmer's part that requires discipline, Carl said.
[Evan] No, the negligence seems to lie elsewhere.
In the e-mail warning issued Wednesday, R. Bruce Judd, the college's vice president of information technology, advised employees to contact their banks and the college about any unusual activity in their accounts.
[Evan] I am not a fan of information security run by information technology departments. Information security is NOT an IT issue!
"You are receiving this notification to alert you to the fact that your personal information may be compromised and you should monitor the activity in the account into which you have your payroll check deposited," the message states. "Also, please remain cognizant of any evidence that may indicate that your identity has been stolen."
The college also is looking into acquiring technology that will allow workers to remotely locate laptops and to encrypt computers or disks. In addition, it stressed to employees who use laptops to use extra caution when securing the devices
[Evan] This would reduce risk, wouldn't it? Unfortunately, too many organizations only react to a specific incident and still don't consider other unrelated risks.
Commentary:
I can't even tell you how many times I have encountered programmers that work with "live" (real) data. A seemingly simple request like asking for sanitizing data or acquiring fake data has too many times been met with resistance. Maybe it's me or my approach, but it has sometimes been a challenge.
As far as HCC goes, I think that there is much more work to be done than they think.
Past Breaches:
Unknown
Date Reported:7/24/08
Organization:
Hillsborough Community College
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
"roughly 2,000"
Types of Data:
"names, bank-routing numbers, retirement information and Social Security numbers"
Breach Description:
"TAMPA - Hillsborough Community College warned its roughly 2,000 employees on Wednesday to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia."
Reference URL:
The Tampa Tribune
Report Credit:
Valerie Kalfrin, The Tampa Tribune
Response:
From the online source cited above:
TAMPA - Hillsborough Community College warned its roughly 2,000 employees on Wednesday to monitor their bank accounts because an HCC programmer's laptop was stolen from a hotel parking lot in Georgia.
The risk of employees' personal information being used is slim.
[Evan] Really? Let's keep the risk theme going throughout this posting.
The programmer had been working on a payroll project for a group of employees using their names, bank-routing numbers, retirement information and Social Security numbers
[Evan] How much risk is involved with a programmer working with real data? How much risk is involved with a programmer carrying real (and sensitive) data on an unencrypted laptop? I am beginning to question how much HCC formally knows about risk.
the programmer had deleted all files related to the project before the theft
The programmer also emptied the trash on the desktop, and the computer is password-protected
[Evan] Does password-protection reduce the amount of risk to an acceptable level if encryption (with pre-boot authentication) is not used?
College officials thought it prudent to warn employees anyway, given the possibility that someone with sophisticated computer experience could retrieve the deleted data.
[Evan] I would agree that the risk of exposure may be lower due to the fact that another step would need to be taken in order to retrieve the information. However, in my opinion it doesn't take someone with sophisticated computer experience. What can we assume about the thief’s motivation?
"You know how sophisticated hackers can be," Carl said (spokeswoman Ashley Carl)
[Evan] Huh. Yes, some "hackers" are extremely talented and sophisticated in their methods, but most of them ain't as sophisticated as we give them credit for.
The programmer had been moving her family to Florida from Michigan when the Dell laptop was stolen from her car in Henry County, Ga.
The college's information-technology employees work remotely and carry laptops at all times
[Evan] Without encryption? What do we say about HCC's understanding of risk?
There was no intentional negligence on this programmer's part that requires discipline, Carl said.
[Evan] No, the negligence seems to lie elsewhere.
In the e-mail warning issued Wednesday, R. Bruce Judd, the college's vice president of information technology, advised employees to contact their banks and the college about any unusual activity in their accounts.
[Evan] I am not a fan of information security run by information technology departments. Information security is NOT an IT issue!
"You are receiving this notification to alert you to the fact that your personal information may be compromised and you should monitor the activity in the account into which you have your payroll check deposited," the message states. "Also, please remain cognizant of any evidence that may indicate that your identity has been stolen."
The college also is looking into acquiring technology that will allow workers to remotely locate laptops and to encrypt computers or disks. In addition, it stressed to employees who use laptops to use extra caution when securing the devices
[Evan] This would reduce risk, wouldn't it? Unfortunately, too many organizations only react to a specific incident and still don't consider other unrelated risks.
Commentary:
I can't even tell you how many times I have encountered programmers that work with "live" (real) data. A seemingly simple request like asking for sanitizing data or acquiring fake data has too many times been met with resistance. Maybe it's me or my approach, but it has sometimes been a challenge.
As far as HCC goes, I think that there is much more work to be done than they think.
Past Breaches:
Unknown
Posted by Evan Francen at 7/27/2008 7:53 PM 
Categories: Hillsborough Community College, Stolen Laptop
Categories: Hillsborough Community College, Stolen Laptop
Posts Atom 1.0
Comments