Sensitive information from the 70s found in Binghamton U dumpster
Technorati Tag: Security Breach
Date Reported:
10/17/08
Organization:
State University of New York
Contractor/Consultant/Branch:
Binghamton University
Location:
Binghamton, New York
Victims:
"students who attended Binghamton University in the 1970s"
Number Affected:
56
Types of Data:
Names, dates of birth, Social Security numbers and other sensitive information
Breach Description:
"Members of the WHRW news team came across a stack of documents containing the names, Social Security numbers and other personal information of students who attended Binghamton University in the 1970s in a dumpster on campus last week."
Reference URL:
Binghamton University Pipe Dream
Report Credit:
Ashley Tarr, Binghamton University Pipe Dream
Response:
From the online source cited above:
Members of the WHRW news team came across a stack of documents containing the names, Social Security numbers and other personal information of students who attended Binghamton University in the 1970s in a dumpster on campus last week.
[Evan] On The Breach Blog this week we have read about two breaches involving information dating back to the 70s, the other being the KRM Risk Management (oxymoron?) breach.
Five members of WHRW, Bingamton University’s campus radio station, found the papers lying in a dumpster near the loading dock next to the New University Union last Monday, Oct. 13.
The documents included 56 names and Social Security numbers in a total of 91 different documents.
Some entries also included birth dates, residences, grades and stipend information of what appeared to be students in the German department from the 1970s.
"We were going by the loading dock because the University throws out really neat stuff there and we found a stack of documents on top of a dumpster," WHRW’s News Director Rob Glass said.
[Evan] Really neat stuff like sensitive personal documents. Unofficial school response: "And we would have gotten away with it, if it wasn't for you meddling kids!" What good is a breach without a little Scooby-Doo?
The individuals then took the documents back to their office to catalogue the information so they’d be able to contact the individuals, and contacted the University the next morning.
"They [members of the administration] showed deep concern and sent a University Police Department investigator over to collect the documents within the hour," he said, adding that the news team also turned over a list of people who had access to the documents.
BU spokeswoman Gail Glover said the documents were found in a recycling bin in the loading dock, and that some of the 56 people listed are now deceased.
The University is still investigating how the documents were left in the dumpster and how information security can be improved
[Evan] There are ALWAYS ways to improve information security and you usually don't have to look too hard.
"Although we have no indication that any of this information will be misused, the University provided information on how the individuals can place a fraud alert through one of the three major credit agencies,"
Glover said the University-wide practice is that any documentation no longer needed should be shredded.
Commentary:
I wonder how much sensitive information is thrown in the garbage that is never reported. All organizations should have policy and procedure that deals with how long to keep information (data retention) and what to do with it when it is no longer needed (data destruction). Logic would tell us that as the amount of information increases and the amount of time for which we keep it increases, the risk of compromise would also increase. Obviously there are other factors, but in general terms this holds true.
Destroy information you are no longer required to keep and no longer need.
Past Breaches:
March, 2008 - Binghamton University mistaken email exposes students
Date Reported:10/17/08
Organization:
State University of New York
Contractor/Consultant/Branch:
Binghamton University
Location:
Binghamton, New York
Victims:
"students who attended Binghamton University in the 1970s"
Number Affected:
56
Types of Data:
Names, dates of birth, Social Security numbers and other sensitive information
Breach Description:
"Members of the WHRW news team came across a stack of documents containing the names, Social Security numbers and other personal information of students who attended Binghamton University in the 1970s in a dumpster on campus last week."
Reference URL:
Binghamton University Pipe Dream
Report Credit:
Ashley Tarr, Binghamton University Pipe Dream
Response:
From the online source cited above:
Members of the WHRW news team came across a stack of documents containing the names, Social Security numbers and other personal information of students who attended Binghamton University in the 1970s in a dumpster on campus last week.
[Evan] On The Breach Blog this week we have read about two breaches involving information dating back to the 70s, the other being the KRM Risk Management (oxymoron?) breach.
Five members of WHRW, Bingamton University’s campus radio station, found the papers lying in a dumpster near the loading dock next to the New University Union last Monday, Oct. 13.
The documents included 56 names and Social Security numbers in a total of 91 different documents.
Some entries also included birth dates, residences, grades and stipend information of what appeared to be students in the German department from the 1970s.
"We were going by the loading dock because the University throws out really neat stuff there and we found a stack of documents on top of a dumpster," WHRW’s News Director Rob Glass said.
[Evan] Really neat stuff like sensitive personal documents. Unofficial school response: "And we would have gotten away with it, if it wasn't for you meddling kids!" What good is a breach without a little Scooby-Doo?
The individuals then took the documents back to their office to catalogue the information so they’d be able to contact the individuals, and contacted the University the next morning.
"They [members of the administration] showed deep concern and sent a University Police Department investigator over to collect the documents within the hour," he said, adding that the news team also turned over a list of people who had access to the documents.
BU spokeswoman Gail Glover said the documents were found in a recycling bin in the loading dock, and that some of the 56 people listed are now deceased.
The University is still investigating how the documents were left in the dumpster and how information security can be improved
[Evan] There are ALWAYS ways to improve information security and you usually don't have to look too hard.
"Although we have no indication that any of this information will be misused, the University provided information on how the individuals can place a fraud alert through one of the three major credit agencies,"
Glover said the University-wide practice is that any documentation no longer needed should be shredded.
Commentary:
I wonder how much sensitive information is thrown in the garbage that is never reported. All organizations should have policy and procedure that deals with how long to keep information (data retention) and what to do with it when it is no longer needed (data destruction). Logic would tell us that as the amount of information increases and the amount of time for which we keep it increases, the risk of compromise would also increase. Obviously there are other factors, but in general terms this holds true.
Destroy information you are no longer required to keep and no longer need.
Past Breaches:
March, 2008 - Binghamton University mistaken email exposes students
Posted by Evan Francen at 10/24/2008 10:29 AM 
Categories: Binghamton University, Insecure Discard, State University of New York
Categories: Binghamton University, Insecure Discard, State University of New York
Posts Atom 1.0
Comments