Stolen Rochester Institute of Technology laptop
Technorati Tag: Security Breach
Date Reported:
8/30/08
Organization:
Rochester Institute of Technology ("RIT")
Contractor/Consultant/Branch:
National Technical Institute for the Deaf
Victims:
"individuals who have applied to enroll at the National Technical Institute for the Deaf (dating back to 1968)" AND another 1,100 members of the RIT community
Number Affected:
about 13,800
Types of Data:
"names, dates of birth, and Social Security numbers"
Breach Description:
"RIT recently discovered that personal information was on a laptop computer stolen from the National Technical Institute for the Deaf on August 25."
Reference URL:
RID University News
WHAM 1180 News
Rochester Democrat and Chronicle
Report Credit:
Rochester Institute of Technology ("RIT")
Response:
From the online sources cited above:
RIT recently discovered that personal information was on a laptop computer stolen from the National Technical Institute for the Deaf on August 25.
[Evan] Was the laptop encrypted? There is no mention of encryption anywhere in the RIT news release. We will presume that it was not.
The information included names, dates of birth, and Social Security numbers.
Letters were mailed to those affected.
This information security alert does NOT affect the entire RIT community, but a specific population.
This includes about 12,700 individuals who have applied to enroll at the National Technical Institute for the Deaf (dating back to 1968).
[Evan] Dating back to 1968!? 40 years!? Why does (did) RIT need to keep personal information for 40 years? If you keep sensitive information that still has value, you need to protect it for the entire time that you have it. There is absolutely no reason to keep someone's Social Security number for 40 years. This is mind-boggling.
Another 1,100 members of the RIT community have also been impacted.
A toll-free hotline has been established at 1-.
You will be able to call this number through a relay service.
The hotline will be available from Tuesday, Sept. 2, through Friday, Sept. 26, and you may call from 9 a.m. to 9 p.m. (Eastern Time) on weekdays, and on Saturdays from 10 a.m. to 4 p.m.
Select FAQs from the Rochester Institute of Technology News:
Q. How could this happen?
A. Like all organizations that store personal information, RIT is acutely aware of the need to secure sensitive data. All organizations are susceptible criminal activity, however.
[Evan] Uh, not all organizations that store personal information are acutely aware of the need to secure it. Too many organizations are completely oblivious. If RIT were acutely aware AND qualified to store personal information, RIT would have encrypted the sensitive information at rest (on the laptop). We are all susceptible to criminal activity, and knowing this, we take steps to reduce risk (locks on doors, burglar alarms, encryption, etc.). We try to not make it easy for them (criminals).
Q. What is RIT doing to prevent this from happening in the future?
A. RIT continuously reviews the technical controls as well as the business processes in place to protect sensitive data. These controls and processes are being analyzed.
Q: I am not affiliated with NTID, so why was my personal information accessible?
A. Your information was used at part of a sample pool for a control group in a study. It was meant for internal use only.
Q. What happened to the private information?
A. We have no indication at this time that the information was accessed. We are notifying people for precautionary purposes.
RIT is committed to doing the right thing, and therefore immediately notified you of this incident. The primary purpose of our communication is to encourage you to immediately take action in an effort to prevent potential loss due to identity theft.
Once again, we share the concern and frustration that this incident has caused for our community, which is why we established a hotline, launched a thorough investigation, and have issued notifications.
Commentary:
This is the first time that I have read about a breach affecting people going back 40 years. I am having trouble getting past this fact. Oy vey (that’s a Yiddish exclamation of dismay or exasperation, but I ain't Yiddish).
Past Breaches:
Unknown
Date Reported:8/30/08
Organization:
Rochester Institute of Technology ("RIT")
Contractor/Consultant/Branch:
National Technical Institute for the Deaf
Victims:
"individuals who have applied to enroll at the National Technical Institute for the Deaf (dating back to 1968)" AND another 1,100 members of the RIT community
Number Affected:
about 13,800
Types of Data:
"names, dates of birth, and Social Security numbers"
Breach Description:
"RIT recently discovered that personal information was on a laptop computer stolen from the National Technical Institute for the Deaf on August 25."
Reference URL:
RID University News
WHAM 1180 News
Rochester Democrat and Chronicle
Report Credit:
Rochester Institute of Technology ("RIT")
Response:
From the online sources cited above:
RIT recently discovered that personal information was on a laptop computer stolen from the National Technical Institute for the Deaf on August 25.
[Evan] Was the laptop encrypted? There is no mention of encryption anywhere in the RIT news release. We will presume that it was not.
The information included names, dates of birth, and Social Security numbers.
Letters were mailed to those affected.
This information security alert does NOT affect the entire RIT community, but a specific population.
This includes about 12,700 individuals who have applied to enroll at the National Technical Institute for the Deaf (dating back to 1968).
[Evan] Dating back to 1968!? 40 years!? Why does (did) RIT need to keep personal information for 40 years? If you keep sensitive information that still has value, you need to protect it for the entire time that you have it. There is absolutely no reason to keep someone's Social Security number for 40 years. This is mind-boggling.
Another 1,100 members of the RIT community have also been impacted.
A toll-free hotline has been established at 1-.
You will be able to call this number through a relay service.
The hotline will be available from Tuesday, Sept. 2, through Friday, Sept. 26, and you may call from 9 a.m. to 9 p.m. (Eastern Time) on weekdays, and on Saturdays from 10 a.m. to 4 p.m.
Select FAQs from the Rochester Institute of Technology News:
Q. How could this happen?
A. Like all organizations that store personal information, RIT is acutely aware of the need to secure sensitive data. All organizations are susceptible criminal activity, however.
[Evan] Uh, not all organizations that store personal information are acutely aware of the need to secure it. Too many organizations are completely oblivious. If RIT were acutely aware AND qualified to store personal information, RIT would have encrypted the sensitive information at rest (on the laptop). We are all susceptible to criminal activity, and knowing this, we take steps to reduce risk (locks on doors, burglar alarms, encryption, etc.). We try to not make it easy for them (criminals).
Q. What is RIT doing to prevent this from happening in the future?
A. RIT continuously reviews the technical controls as well as the business processes in place to protect sensitive data. These controls and processes are being analyzed.
Q: I am not affiliated with NTID, so why was my personal information accessible?
A. Your information was used at part of a sample pool for a control group in a study. It was meant for internal use only.
Q. What happened to the private information?
A. We have no indication at this time that the information was accessed. We are notifying people for precautionary purposes.
RIT is committed to doing the right thing, and therefore immediately notified you of this incident. The primary purpose of our communication is to encourage you to immediately take action in an effort to prevent potential loss due to identity theft.
Once again, we share the concern and frustration that this incident has caused for our community, which is why we established a hotline, launched a thorough investigation, and have issued notifications.
Commentary:
This is the first time that I have read about a breach affecting people going back 40 years. I am having trouble getting past this fact. Oy vey (that’s a Yiddish exclamation of dismay or exasperation, but I ain't Yiddish).
Past Breaches:
Unknown
Posted by Evan Francen at 9/1/2008 10:13 AM 
Categories: Stolen Laptop, Rochester Institute of Technology
Categories: Stolen Laptop, Rochester Institute of Technology
Posts Atom 1.0
Comments