Tennessee State University financial aid information on lost flash drive
Technorati Tag: Security Breach
Date Reported:
9/12/08
Organization:
Tennessee State University
Contractor/Consultant/Branch:
None
Location:
Nashville, Tennessee
Victims:
Current and former students
Number Affected:
"more than 9,000"
Types of Data:
"Social Security numbers, families' financial histories and other information"
Breach Description:
"University officials notified the campus community that a flash drive containing financial information and Social Security numbers of more than 9,000 students was reported missing from the campus earlier last week."
Reference URL:
The Meter
The Tennessean
WTVF News Channel 5
Report Credit:
Kevin Walters, The Tennessean
Response:
From the online sources cited above:
University officials notified the campus community that a flash drive containing financial information and Social Security numbers of more than 9,000 students was reported missing from the campus earlier last week.
Provost Robert Hampton and Internal Auditor Mike Batson fielded questions from the media in a press conference on Sept.12, held in the foyer of the Ned R. McWherter Administration building.
[Evan] The news conference was posted to You Tube, see below.
Hampton said that a Financial Aid counselor reported the flash drive missing Sept. 9, after she discovered it was no longer in her possession.
[Evan] Thumb drives are incredibly easy to lose, so this is no surprise. In my career, I've probably lost a couple dozen. The difference is that I don't store sensitive information on them.
Hampton described the device as "an ordinary standard thumb drive."
[Evan] Ordinary except for the fact that it contained sensitive financial information belonging to a significant percentage of the school's students.
"We certainly regret this," Hampton said. "(The incident) was inadvertent. There was no malicious intent whatsoever. It's just the case of an employee trying to provide good service and, in so doing, she violated our policy on data protection."
The counselor and other Financial Aid officials had been operating in the Floyd-Payne Campus Center Forum to better manage student traffic and avoid violating fire codes.
In the move from the remote location to the Financial Aid suite on the third floor of the building, the counselor saved the data she'd been processing to the flash drive.
[Evan] I am sure that she regrets this decision now.
University officials neither believe the missing flash drive was encrypted nor password protected, although TSU policy requires Social Security numbers be stored in a separate encrypted and password-protected data file.
The policy reads, "Documents that include (Social Security numbers) must be stored in a secure place. When possible, records containing (Social Security numbers), including back-ups, should be protected during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets."
[Evan] This reads like a reasonable policy. Are people trained on the policy and held accountable for compliance?
Hampton said the policy had been in place for a while. "We've been working on this policy for several months,"
Hampton said. "It has been widely disseminated. Every organization on campus has been instructed to share this policy."
[Evan] I have written dozens of information security policies and experience has shown that people don't read them just because they are told to.
The flash drive, which contained financial records of TSU students dating back to 2002, was last seen on Sept 8.
Spears said that this is the first time an incident has occurred in her seven years with the university. (Linda Spears, associate vice president for Administrative Services)
"Anytime an event like this happens, there is great concern for the individuals involved," Batson said. "We don't have any indication that anyone has accessed the information. But still, you don't want anything to happen."
TSU has also migrated from the use of Social Security numbers as primary personal identification numbers for students to an internally-generated alternate identification number
[Evan] This is a good idea, but this information was lost by the financial aid office. The financial aid office will still be required to collect and store Social Security numbers.
TSU's Internal Audit department launched a formal investigation and the employee has been placed on paid administrative leave, pending the outcome of the investigation.
University personnel began notifying students last week
Persons impacted will be sent notification from university personnel via e-mail and letters by Friday, Sept. 19.
"The loss of this data is unfortunate," Hampton said. "It is imperative that we protect our students' personal information. "
"As a precautionary measure, TSU will offer credit protection to all students whose records were compromised," a Sept. 12 press release stated. "In addition, mandatory staff training on privacy and proper handling of information will be held for those employees who have access to sensitive student records."
[Evan] TSU is financially strapped (see below). The expense of having to notify the affected individuals and provide "credit protection" services are going to add more financial strain. Well designed and delivered mandatory training will certainly be more effective than telling people to read.
The loss of the student information marks the latest problem TSU administrators must address, including a February consultants' report that said poor student service risks making the school "irrelevant."
Last week, the school announced it would have to lay off some employees because of a $6 million budget shortfall. Details of the layoffs were due out this week but were not announced. TSU also last week dropped 400 students for their inability to pay portions of their tuition.
Reactions:
"For me personally you know it makes me worry," said graduate student Doniethia Williams, 24. "If you can't keep up with this small amount of information, how are you able to run a school? That's totally ridiculous."
"That's people's personal information. Somebody can go out there and ruin their life. Identity theft is on a high and they lose a flash drive with 9,000 people's information on it? It's ridiculous," said freshman Autumn Sample.
"I'm just getting started and I'm hearing all this bad stuff. I think I might want to leave. I don't know if I want to be here," Sample said.
"(This incident) is adding stress to everything already going on (with registration)," said Dwayne Spearman, a junior education and social work major from Newark, N.J. "You don't lose something that valuable. It's tragic that (the incident) had to happen."
Ashley Collins, a speech communications major from Chicago, said she was concerned when she learned about the missing flash drive.
"That's terrible," Collins said. "We don't know who has that information."
Commentary:
Breaches affecting colleges and universities are nothing new, but one fact that sets this breach apart is that this school is experiencing serious financial problems. A conflict of interest sometimes arises in poorly aligned information security at organizations where budget shortfalls exist. In organizations where information security is aligned within the IT department, often times information security initiatives get cut first because IT is focused on maintaining a certain level of service. I am not implying that this is the case at Tennessee State University, I am just stating that I have witnessed this in other organizations. I sincerely hope that the student information is not used for nefarious purposes and that Tennessee State University can come out of this intact.
Past Breaches:
Unknown
Date Reported:9/12/08
Organization:
Tennessee State University
Contractor/Consultant/Branch:
None
Location:
Nashville, Tennessee
Victims:
Current and former students
Number Affected:
"more than 9,000"
Types of Data:
"Social Security numbers, families' financial histories and other information"
Breach Description:
"University officials notified the campus community that a flash drive containing financial information and Social Security numbers of more than 9,000 students was reported missing from the campus earlier last week."
Reference URL:
The Meter
The Tennessean
WTVF News Channel 5
Report Credit:
Kevin Walters, The Tennessean
Response:
From the online sources cited above:
University officials notified the campus community that a flash drive containing financial information and Social Security numbers of more than 9,000 students was reported missing from the campus earlier last week.
Provost Robert Hampton and Internal Auditor Mike Batson fielded questions from the media in a press conference on Sept.12, held in the foyer of the Ned R. McWherter Administration building.
[Evan] The news conference was posted to You Tube, see below.
Hampton said that a Financial Aid counselor reported the flash drive missing Sept. 9, after she discovered it was no longer in her possession.
[Evan] Thumb drives are incredibly easy to lose, so this is no surprise. In my career, I've probably lost a couple dozen. The difference is that I don't store sensitive information on them.
Hampton described the device as "an ordinary standard thumb drive."
[Evan] Ordinary except for the fact that it contained sensitive financial information belonging to a significant percentage of the school's students.
"We certainly regret this," Hampton said. "(The incident) was inadvertent. There was no malicious intent whatsoever. It's just the case of an employee trying to provide good service and, in so doing, she violated our policy on data protection."
The counselor and other Financial Aid officials had been operating in the Floyd-Payne Campus Center Forum to better manage student traffic and avoid violating fire codes.
In the move from the remote location to the Financial Aid suite on the third floor of the building, the counselor saved the data she'd been processing to the flash drive.
[Evan] I am sure that she regrets this decision now.
University officials neither believe the missing flash drive was encrypted nor password protected, although TSU policy requires Social Security numbers be stored in a separate encrypted and password-protected data file.
The policy reads, "Documents that include (Social Security numbers) must be stored in a secure place. When possible, records containing (Social Security numbers), including back-ups, should be protected during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets."
[Evan] This reads like a reasonable policy. Are people trained on the policy and held accountable for compliance?
Hampton said the policy had been in place for a while. "We've been working on this policy for several months,"
Hampton said. "It has been widely disseminated. Every organization on campus has been instructed to share this policy."
[Evan] I have written dozens of information security policies and experience has shown that people don't read them just because they are told to.
The flash drive, which contained financial records of TSU students dating back to 2002, was last seen on Sept 8.
Spears said that this is the first time an incident has occurred in her seven years with the university. (Linda Spears, associate vice president for Administrative Services)
"Anytime an event like this happens, there is great concern for the individuals involved," Batson said. "We don't have any indication that anyone has accessed the information. But still, you don't want anything to happen."
TSU has also migrated from the use of Social Security numbers as primary personal identification numbers for students to an internally-generated alternate identification number
[Evan] This is a good idea, but this information was lost by the financial aid office. The financial aid office will still be required to collect and store Social Security numbers.
TSU's Internal Audit department launched a formal investigation and the employee has been placed on paid administrative leave, pending the outcome of the investigation.
University personnel began notifying students last week
Persons impacted will be sent notification from university personnel via e-mail and letters by Friday, Sept. 19.
"The loss of this data is unfortunate," Hampton said. "It is imperative that we protect our students' personal information. "
"As a precautionary measure, TSU will offer credit protection to all students whose records were compromised," a Sept. 12 press release stated. "In addition, mandatory staff training on privacy and proper handling of information will be held for those employees who have access to sensitive student records."
[Evan] TSU is financially strapped (see below). The expense of having to notify the affected individuals and provide "credit protection" services are going to add more financial strain. Well designed and delivered mandatory training will certainly be more effective than telling people to read.
The loss of the student information marks the latest problem TSU administrators must address, including a February consultants' report that said poor student service risks making the school "irrelevant."
Last week, the school announced it would have to lay off some employees because of a $6 million budget shortfall. Details of the layoffs were due out this week but were not announced. TSU also last week dropped 400 students for their inability to pay portions of their tuition.
Reactions:
"For me personally you know it makes me worry," said graduate student Doniethia Williams, 24. "If you can't keep up with this small amount of information, how are you able to run a school? That's totally ridiculous."
"That's people's personal information. Somebody can go out there and ruin their life. Identity theft is on a high and they lose a flash drive with 9,000 people's information on it? It's ridiculous," said freshman Autumn Sample.
"I'm just getting started and I'm hearing all this bad stuff. I think I might want to leave. I don't know if I want to be here," Sample said.
"(This incident) is adding stress to everything already going on (with registration)," said Dwayne Spearman, a junior education and social work major from Newark, N.J. "You don't lose something that valuable. It's tragic that (the incident) had to happen."
Ashley Collins, a speech communications major from Chicago, said she was concerned when she learned about the missing flash drive.
"That's terrible," Collins said. "We don't know who has that information."
Commentary:
Breaches affecting colleges and universities are nothing new, but one fact that sets this breach apart is that this school is experiencing serious financial problems. A conflict of interest sometimes arises in poorly aligned information security at organizations where budget shortfalls exist. In organizations where information security is aligned within the IT department, often times information security initiatives get cut first because IT is focused on maintaining a certain level of service. I am not implying that this is the case at Tennessee State University, I am just stating that I have witnessed this in other organizations. I sincerely hope that the student information is not used for nefarious purposes and that Tennessee State University can come out of this intact.
Past Breaches:
Unknown
Posts Atom 1.0
Comments