Personal information belonging to 84K+ UND alumni on stolen laptop
Technorati Tag: Security Breach
Date Reported:
10/7/08
Organization:
The Alumni Association of the University of North Dakota (UND Alumni Association)
UND Foundation
Contractor/Consultant/Branch:
"primary software vendor"*
*Not yet named, so unknown
Location:
Grand Forks, North Dakota
Victims:
Alumni
Number Affected:
84,554
Types of Data:
"personal and financial information" including "credit card and Social Security numbers"
Breach Description:
"A laptop computer containing sensitive personal and financial information on more than 84,000 UND alumni, donors and others was stolen last month from a vehicle belonging to a software vendor retained by the UND Alumni Association."
Reference URL:
UND Alumni Association (Notification of Information Loss)
UND Alumni Association (FAQ)
Grand Forks Herald
W3ckUiD3aPc:_Yyc:aU7EaDiaMDCiUT">Star Tribune
Report Credit:
UND Alumni Association
Response:
From the online sources cited above:
A laptop computer containing sensitive personal and financial information on more than 84,000 UND alumni, donors and others was stolen last month from a vehicle belonging to a software vendor retained by the UND Alumni Association.
The laptop was stolen on Sept 19 and we were notified in the afternoon on Sept 26.
[Evan] The date on the UND Alumni Association Notification of Information Loss is October 7th. The amount of time between the laptop theft and notification seems reasonable. Letters to affected individuals will not be mailed until October 10th, which means that many people won't be formally notified until ~ the 13th. I don't know if it was a good idea to make information about the breach publicly available before the people affected were officially notified.
The laptop has not been recovered, but the sensitive information, including individuals’ credit card and Social Security numbers, was protected by a data encryption system and other security controls, according to the Alumni Association.
[Evan] The information from the UND Alumni Association reads as though the database containing the sensitive information was encrypted, not the laptop hard drive. It also reads as though the database was encrypted at the time of delivery to the vendor. Are we sure that the vendor and/or employee did not decrypt the information or store the decryption key in a manner that would be easily accessible prior to storage or while in use on the laptop? This scenario seems entirely feasible and it is not addressed specifically by the announcement.
Through a secured method, we had sent our database to the vendor, a trusted industry leader, for a specific matter of support.
The information was protected by three layers of security controls including a data encryption system.
To explain the three layers of encryption: Layer 1 is getting past the login and password to get on the laptop. Layer 2 is again a login and password that’s needed to execute the application and layer 3 is getting through the AES 256 encryption to access the data.
[Evan] Layer 1 is basically useless and almost not worth mentioning. Layer 2, depending on the application, the password strength, and any password disclosure issues (i.e. written down on a Post-It or typed into a passwords.txt file, etc.) may provide good protection. Layer 3 is excellent depending primarily upon the confidentiality of the decryption key. If a person were able to crack Layer 2, would he/she get through Layer 3 automatically as part of the application?
In June 2003 the U.S. Government announced that AES is secure enough to protect classified information up to the TOP SECRET level.
[Evan] This is true (192 or 256-bit key lengths), but subject to implementation and management factors also. SECRET information can be protected by 128, 192, or 256-bit keys.
Tim O’Keefe, the association’s executive vice president, said today that there has been no evidence that the information contained in the stolen laptop has been used in any way.
"I feel confident that there is an absolutely minimal chance (the security measures protecting the data) could be breached," O'Keefe said.
Except to say the vendor is located outside the state and immediate region, the association will not identify the vendor or say where the theft occurred "to further ensure the security of the database and privacy of member records,"
"The vendor has been cooperative with us," he said, and identifying the company could allow whoever has the laptop to "discover they have something more valuable than they thought."
The security technology protecting the information "is absolutely the best you can buy," O'Keefe said.
[Evan] Obviously, this is subjective.
"Despite following state-of-the-art technology procedures on our end, we deeply regret this issue has occurred with our vendor," he said. "We are holding them accountable and exploring all possible additional measures to ensure this does not happen again."
The vendor will make an online credit monitoring service available at no cost to affected individuals
A personal activation code will be mailed to each affected individual for whom the association has contact information, along with a detailed explanation of what happened.
Individuals have until January 31, 2009, to activate this credit monitoring by using you personal assigned activation code, which is detailed in the letter the UND Alumni Association and UND Foundation mailed to your home on Oct. 10, 2008.
[Evan] Today (the date this article was posted to The Breach Blog) is the 8th.
The exact number of households whose information was included in the database is 75,719
The total number of people affected is 84,554
The UND Alumni Association and UND Foundation has worked swiftly and diligently with the vendor as well as a third party investigator to come to this conclusion and distribute the best information possible.
Our understanding from the vendor is that there were other databases on the computer. For security reasons the vendor has not shared those organizations’ names with us nor ours with them.
[Evan] Uh oh! Co-mingling of information from multiple sources ain't cool. Who else will we see make an announcement soon?
We examined several vendors and for this kind of work, this vendor is considered the industry leader.
[Evan] Does anybody have any guesses as to whom the vendor may be?
Commentary:
Overall, it seems like the UND Alumni Association was aware of the information's value and risks involved with storage and transport to the vendor. The organization encrypted the information prior to transport, notified affected individuals promptly and communicated some details openly (minus the vendor name).
The vendor on the other hand... who knows? We don't seem to know for sure if the information was still encrypted at the time that the laptop was stolen, we don't know what other organization's information was on the laptop, or any other circumstances surrounding this incident. It isn't just the UND Alumni Association that affected people need to trust. People also have to trust this unnamed vendor that the UND Alumni Association has decided to share personal information with. I would expect more details in the coming days or weeks.
Past Breaches:
Unknown
Date Reported:10/7/08
Organization:
The Alumni Association of the University of North Dakota (UND Alumni Association)
UND Foundation
Contractor/Consultant/Branch:
"primary software vendor"*
*Not yet named, so unknown
Location:
Grand Forks, North Dakota
Victims:
Alumni
Number Affected:
84,554
Types of Data:
"personal and financial information" including "credit card and Social Security numbers"
Breach Description:
"A laptop computer containing sensitive personal and financial information on more than 84,000 UND alumni, donors and others was stolen last month from a vehicle belonging to a software vendor retained by the UND Alumni Association."
Reference URL:
UND Alumni Association (Notification of Information Loss)
UND Alumni Association (FAQ)
Grand Forks Herald
W3ckUiD3aPc:_Yyc:aU7EaDiaMDCiUT">Star Tribune
Report Credit:
UND Alumni Association
Response:
From the online sources cited above:
A laptop computer containing sensitive personal and financial information on more than 84,000 UND alumni, donors and others was stolen last month from a vehicle belonging to a software vendor retained by the UND Alumni Association.
The laptop was stolen on Sept 19 and we were notified in the afternoon on Sept 26.
[Evan] The date on the UND Alumni Association Notification of Information Loss is October 7th. The amount of time between the laptop theft and notification seems reasonable. Letters to affected individuals will not be mailed until October 10th, which means that many people won't be formally notified until ~ the 13th. I don't know if it was a good idea to make information about the breach publicly available before the people affected were officially notified.
The laptop has not been recovered, but the sensitive information, including individuals’ credit card and Social Security numbers, was protected by a data encryption system and other security controls, according to the Alumni Association.
[Evan] The information from the UND Alumni Association reads as though the database containing the sensitive information was encrypted, not the laptop hard drive. It also reads as though the database was encrypted at the time of delivery to the vendor. Are we sure that the vendor and/or employee did not decrypt the information or store the decryption key in a manner that would be easily accessible prior to storage or while in use on the laptop? This scenario seems entirely feasible and it is not addressed specifically by the announcement.
Through a secured method, we had sent our database to the vendor, a trusted industry leader, for a specific matter of support.
The information was protected by three layers of security controls including a data encryption system.
To explain the three layers of encryption: Layer 1 is getting past the login and password to get on the laptop. Layer 2 is again a login and password that’s needed to execute the application and layer 3 is getting through the AES 256 encryption to access the data.
[Evan] Layer 1 is basically useless and almost not worth mentioning. Layer 2, depending on the application, the password strength, and any password disclosure issues (i.e. written down on a Post-It or typed into a passwords.txt file, etc.) may provide good protection. Layer 3 is excellent depending primarily upon the confidentiality of the decryption key. If a person were able to crack Layer 2, would he/she get through Layer 3 automatically as part of the application?
In June 2003 the U.S. Government announced that AES is secure enough to protect classified information up to the TOP SECRET level.
[Evan] This is true (192 or 256-bit key lengths), but subject to implementation and management factors also. SECRET information can be protected by 128, 192, or 256-bit keys.
Tim O’Keefe, the association’s executive vice president, said today that there has been no evidence that the information contained in the stolen laptop has been used in any way.
"I feel confident that there is an absolutely minimal chance (the security measures protecting the data) could be breached," O'Keefe said.
Except to say the vendor is located outside the state and immediate region, the association will not identify the vendor or say where the theft occurred "to further ensure the security of the database and privacy of member records,"
"The vendor has been cooperative with us," he said, and identifying the company could allow whoever has the laptop to "discover they have something more valuable than they thought."
The security technology protecting the information "is absolutely the best you can buy," O'Keefe said.
[Evan] Obviously, this is subjective.
"Despite following state-of-the-art technology procedures on our end, we deeply regret this issue has occurred with our vendor," he said. "We are holding them accountable and exploring all possible additional measures to ensure this does not happen again."
The vendor will make an online credit monitoring service available at no cost to affected individuals
A personal activation code will be mailed to each affected individual for whom the association has contact information, along with a detailed explanation of what happened.
Individuals have until January 31, 2009, to activate this credit monitoring by using you personal assigned activation code, which is detailed in the letter the UND Alumni Association and UND Foundation mailed to your home on Oct. 10, 2008.
[Evan] Today (the date this article was posted to The Breach Blog) is the 8th.
The exact number of households whose information was included in the database is 75,719
The total number of people affected is 84,554
The UND Alumni Association and UND Foundation has worked swiftly and diligently with the vendor as well as a third party investigator to come to this conclusion and distribute the best information possible.
Our understanding from the vendor is that there were other databases on the computer. For security reasons the vendor has not shared those organizations’ names with us nor ours with them.
[Evan] Uh oh! Co-mingling of information from multiple sources ain't cool. Who else will we see make an announcement soon?
We examined several vendors and for this kind of work, this vendor is considered the industry leader.
[Evan] Does anybody have any guesses as to whom the vendor may be?
Commentary:
Overall, it seems like the UND Alumni Association was aware of the information's value and risks involved with storage and transport to the vendor. The organization encrypted the information prior to transport, notified affected individuals promptly and communicated some details openly (minus the vendor name).
The vendor on the other hand... who knows? We don't seem to know for sure if the information was still encrypted at the time that the laptop was stolen, we don't know what other organization's information was on the laptop, or any other circumstances surrounding this incident. It isn't just the UND Alumni Association that affected people need to trust. People also have to trust this unnamed vendor that the UND Alumni Association has decided to share personal information with. I would expect more details in the coming days or weeks.
Past Breaches:
Unknown
Posted by Evan Francen at 10/8/2008 1:39 PM 
Categories: UND Alumni Association, UND Foundation, Stolen Laptop
Categories: UND Alumni Association, UND Foundation, Stolen Laptop
Posts Atom 1.0
While I normally check this blog to stay abreast of recent breaches, I was able to let a friend who is an alumna of UND know of her potential exposure after seeing this entry.
Reply to this
It is important to look at these situations objectively and to be completely above board in getting the word out. Even the President's Task Force on Identity Theft said "There is no magic bullet to eradicate identity theft...only a comprehensive and fully coordinated strategy...between government, law enforcement and the private sector... will stand any chance of solving the problem." We ALL need to remain involved and subject to scrutiny. In regard to the laptop, a laptop in a car is a no-no. Technology can be undone by human error, a significant contributor in breaches. Another step in safeguarding laptops is to start with biometric access AND then an encrypted laptop tracking/recovery service. Not as expensive as one may think.
Reply to this