Arapahoe Community College flash drive goes missing
Technorati Tag: Security Breach
Date Reported:
8/5/08
Organization:
Arapahoe Community College (ACC)
Contractor/Consultant/Branch:
Unnamed "contractor"
Victims:
"clients of the College’s Corporate Learning Division"
Number Affected:
15,000
Types of Data:
"names, addresses, credit card numbers and social security numbers"
Breach Description:
"LITTLETON - Arapahoe Community College (ACC) is notifying 15,000 students that their personal information has been lost or stolen."
Reference URL:
KUSA-TV Channel 9 News
ACC Special Advisory for Corporate Learning Division Customers
Report Credit:
Arapahoe Community College
Response:
From the online sources cited above:
LITTLETON - Arapahoe Community College (ACC) is notifying 15,000 students that their personal information has been lost or stolen.
a hard copy letter detailing the loss is being mailed to all affected students
[Evan] I think it is rare for an organization to have identified and located "all" those who have been affected.
The letter is in addition to an e-mail that was sent on Friday.
The e-mail indicates that a contractor who manages the student information database had a flash drive lost or stolen at Copper Mountain Resort in Summit County.
On Friday, Aug. 1, a contractor with ACC’s Corporate Learning Division reported a flash drive missing that contained non-credit customer data from the Division.
[Evan] You may be asking the same question, what is a contractor doing with sensitive information on an unprotected flash drive at Copper Mountain Resort? You may also be asking, how was this permitted to happen?
The contractor was responsible for periodic updating of the database, and he downloaded the data onto the flash drive for maintenance.
[Evan] I can think of more appropriate places to store the information during the database update.
A police report was filed with the Summit County Sheriff's Department on Friday.
The flash drive contained the records for students from the Corporate Learning Division and had the personal information of students dating back to 1997.
[Evan] 1997 to 2008 is eleven years. ACC was able to locate and notify "all" affected people? I would think that there is a certain percentage of people who have changed contact information over time.
Loss of this information only affects customers served by the Corporate Learning Division in Parker, which provides customized training to a small percentage of ACC’s non-credit student body.
[Evan] Minimize #1
This does not affect students at the main campus in Littleton, according to John Scarffe with ACC.
[Evan] Minimize #2
Information on the drive included the names, addresses, credit card numbers and social security numbers for more than 5,000 students in the Corporate Learning Division.
The drive did not contain the three-digit security code for the credit cards.
[Evan] Minimize #3
At this time there is no evidence this information was stolen as opposed to being misplaced, but ACC is taking appropriate precautions to protect this very small percentage of our non-credit student body
[Evan] Minimize #4 (and possibly #5). Stolen or misplaced, what do you think most people do with a found or stolen flash drive? I think most people connect it to their computer and try to use it. Unprotected flash drives storing sensitive information is FULL of risk.
The data affects only six percent of ACC’s annual headcount.
[Evan] Minimize #5, and so what?
Those who are at risk of having their social security number or credit card number compromised represent three percent of ACC’s records for the time period encompassed by the data.
[Evan] Minimize #6, and another so what?
Ninety-seven percent of this data remains uncompromised
[Evan] Minimize #7
In the e-mail ACC President Bert Glandon apologized for the loss, "On behalf of Arapahoe Community College, I offer our sincerest apology that this unfortunate incident occurred. I assure you that safeguarding your information is one of our highest priorities."
"This was a clear violation of Arapahoe Community College and Colorado Community College System policy which prohibits storing personal information on portable electronic devices," said Glandon, "Arapahoe Community College is taking steps to ensure this does not happen again."
[Evan] Policy don't mean diddly if people aren't aware/trained and the policy ain't enforced.
This situation is currently being investigated, and administrative action is being taken.
All employees are being retrained regarding our policies and procedures pertaining to the handling of student records.
[Evan] Not just student records, but ALL sensitive information.
We are also conducting a security audit
Corporate Learning Division customers who do not receive an e-mail message or a letter are not at risk. Anyone with questions or concerns should call the hotline at .
Commentary:
It's breaches like this that make you shake your head. We keep fighting the good fight. I counted at least seven statements that seem to be meant to minimize the situation and potential impact of this breach. Believe it or not, I don't think that this is a record.
Past Breaches:
Unknown
Date Reported:8/5/08
Organization:
Arapahoe Community College (ACC)
Contractor/Consultant/Branch:
Unnamed "contractor"
Victims:
"clients of the College’s Corporate Learning Division"
Number Affected:
15,000
Types of Data:
"names, addresses, credit card numbers and social security numbers"
Breach Description:
"LITTLETON - Arapahoe Community College (ACC) is notifying 15,000 students that their personal information has been lost or stolen."
Reference URL:
KUSA-TV Channel 9 News
ACC Special Advisory for Corporate Learning Division Customers
Report Credit:
Arapahoe Community College
Response:
From the online sources cited above:
LITTLETON - Arapahoe Community College (ACC) is notifying 15,000 students that their personal information has been lost or stolen.
a hard copy letter detailing the loss is being mailed to all affected students
[Evan] I think it is rare for an organization to have identified and located "all" those who have been affected.
The letter is in addition to an e-mail that was sent on Friday.
The e-mail indicates that a contractor who manages the student information database had a flash drive lost or stolen at Copper Mountain Resort in Summit County.
On Friday, Aug. 1, a contractor with ACC’s Corporate Learning Division reported a flash drive missing that contained non-credit customer data from the Division.
[Evan] You may be asking the same question, what is a contractor doing with sensitive information on an unprotected flash drive at Copper Mountain Resort? You may also be asking, how was this permitted to happen?
The contractor was responsible for periodic updating of the database, and he downloaded the data onto the flash drive for maintenance.
[Evan] I can think of more appropriate places to store the information during the database update.
A police report was filed with the Summit County Sheriff's Department on Friday.
The flash drive contained the records for students from the Corporate Learning Division and had the personal information of students dating back to 1997.
[Evan] 1997 to 2008 is eleven years. ACC was able to locate and notify "all" affected people? I would think that there is a certain percentage of people who have changed contact information over time.
Loss of this information only affects customers served by the Corporate Learning Division in Parker, which provides customized training to a small percentage of ACC’s non-credit student body.
[Evan] Minimize #1
This does not affect students at the main campus in Littleton, according to John Scarffe with ACC.
[Evan] Minimize #2
Information on the drive included the names, addresses, credit card numbers and social security numbers for more than 5,000 students in the Corporate Learning Division.
The drive did not contain the three-digit security code for the credit cards.
[Evan] Minimize #3
At this time there is no evidence this information was stolen as opposed to being misplaced, but ACC is taking appropriate precautions to protect this very small percentage of our non-credit student body
[Evan] Minimize #4 (and possibly #5). Stolen or misplaced, what do you think most people do with a found or stolen flash drive? I think most people connect it to their computer and try to use it. Unprotected flash drives storing sensitive information is FULL of risk.
The data affects only six percent of ACC’s annual headcount.
[Evan] Minimize #5, and so what?
Those who are at risk of having their social security number or credit card number compromised represent three percent of ACC’s records for the time period encompassed by the data.
[Evan] Minimize #6, and another so what?
Ninety-seven percent of this data remains uncompromised
[Evan] Minimize #7
In the e-mail ACC President Bert Glandon apologized for the loss, "On behalf of Arapahoe Community College, I offer our sincerest apology that this unfortunate incident occurred. I assure you that safeguarding your information is one of our highest priorities."
"This was a clear violation of Arapahoe Community College and Colorado Community College System policy which prohibits storing personal information on portable electronic devices," said Glandon, "Arapahoe Community College is taking steps to ensure this does not happen again."
[Evan] Policy don't mean diddly if people aren't aware/trained and the policy ain't enforced.
This situation is currently being investigated, and administrative action is being taken.
All employees are being retrained regarding our policies and procedures pertaining to the handling of student records.
[Evan] Not just student records, but ALL sensitive information.
We are also conducting a security audit
Corporate Learning Division customers who do not receive an e-mail message or a letter are not at risk. Anyone with questions or concerns should call the hotline at .
Commentary:
It's breaches like this that make you shake your head. We keep fighting the good fight. I counted at least seven statements that seem to be meant to minimize the situation and potential impact of this breach. Believe it or not, I don't think that this is a record.
Past Breaches:
Unknown
Posts Atom 1.0
Comments