Backup tape lost from Harvard Law School
Technorati Tag: Security Breach
Date Reported:
11/06/08
Organization:
Harvard University
Contractor/Consultant/Branch:
Harvard Law School
The Legal Services Center*
*"the Legal Services Center is a general practice law firm that provides legal counsel to over 1,200 clients annually, some of whom are very poor, but many of whom can and do make co-payments or pay on a lower-than-market basis for the service they receive. The Center, Harvard Law School’s oldest and largest clinical teaching facility, offers students an opportunity to gain practical legal experience and earn academic credit by handling real cases for real clients under the supervision of Clinical Instructors who are experienced practitioners and mentors." Source: About the Legal Services Center
Location:
Jamaica Plain, Massachusetts
Victims:
Clients
Number Affected:
21,000
Types of Data:
"a variety of client data, including names, Social Security numbers, contact information, financial information, and other personal information"
Breach Description:
"BOSTON (AP) - A computer tape containing data on 21,000 clients of a Harvard Law School legal clinic was lost last month but there is little chance of identity theft, school officials said."
Reference URL:
Harvard Law School Special Notice
Boston Herald
Boston Business Journal
Report Credit:
Harvard Law School
Response:
From the online sources cited above:
NOTICE OF SECURITY BREACH: Harvard Law School hereby gives the following notice to persons who were clients of its Legal Services Center in Jamaica Plain between 1994 and September 23, 2008:
[Evan] This breach concerns information that dates as old as 14 years!? Is there some legal requirement that prohibits the center from destroying information that is no longer used? Do they have a data retention policy? Doesn't seem right.
In our effort to provide clients with the best possible service, the Harvard Law School Legal Services Center ("LSC") has implemented an electronic records system.
The system enables LSC students and supervising attorneys to organize case information and to track the progression of cases.
To ensure that case information is not lost in the event of a power failure or other system issue, Harvard Law School ("HLS") has implemented a protocol for backing-up the data.
[Evan] I could be my usual smart ass here, but I am holding back.
HLS recently discovered that one of the tapes used to back-up the LSC case management system is missing.
The tape was last seen on September 23, 2008.
The missing tape was lost in September while it was being transported from a legal services clinic in Jamaica Plain to the school’s campus in Cambridge, said university spokesman Robb London.
"It was not a case of a hacking (theft)," said London
[Evan] So what? Am I or is he missing the point?
Since discovering its absence, HLS has conducted an exhaustive search, but has not been able to account for the tape.
The missing tape contains a variety of client data, including names, Social Security numbers, contact information, financial information, and other personal information.
[Evan] This seems like information that didn't need to be kept. I can understand keeping recent records, those required by law, and those required in order to conduct business. I don't understand keeping sensitive information dating back as much as 14 years or Social Security numbers post-billing/receiving/reporting.
The tape included Social Security numbers for about 8,000 present and former clients and other types of information on 13,000 other clients.
The missing tape is password-protected, however, and cannot be read without specialized skills and equipment.
[Evan] I think that data disclosure from a lost backup tape is slightly (key word) less probable than from a lost laptop. Password protection is typically not difficult to circumvent, and the "specialized skills and equipment" required to access the information isn't really all that specialized. The fact of the matter is that there is an increased risk of data disclosure which is unnecessary if HLS had used better control.
There are also no marks on the tape that indicate the type of information stored on it.
[Evan] Again, so what? Information security through obscurity ain't information security.
Nevertheless, because of the sensitive nature of the data on the tape, we believe it is important to inform you of its loss.
To this point, there has been no indication that the tape has been acquired by an unauthorized person or that the data has been accessed.
However, because HLS has not yet located the tape, we cannot rule out that possibility.
We therefore recommend that you remain alert for possible fraud and identity theft by reviewing and monitoring your credit and financial account information for unauthorized activity.
Under state law, you may order a "security freeze" on your credit reports as a further precaution.
We will work with anyone who has questions about these steps and will reimburse the fees, if any, for placing a security freeze.
We have also set up a special phone number at LSC to answer questions. The number is 1-.
We are truly sorry for the inconvenience and concern this event may cause.
"While we regret this, we really believe that the risk of access to this data is extremely low," London said.
[Evan] Risk is this case is highly subjective. Again, the risk is unnecessarily increased.
Please be assured that we are taking steps internally in an effort to prevent future incidents of this kind.
[Evan] Like? How about this brand new technology called encryption? Wait! Cryptography has been around for more that 4500 years!
We will let you know if we obtain any additional information suggesting that your personal information has in fact been compromised.
Harvard Law School is contacting clients and running legal notices in newspapers to inform people about the tape loss, London said.
The missing tape was one of six transported each week to Harvard for backup purposes.
The school will have a courier service transport tapes in the future and is paying for credit-monitoring for those whose Social Security numbers were on the lost tape.
[Evan] Courier services lose tapes too. So a good information security type, defense in depth type, question to ask would be; what prevents the disclosure of information if a tape is lost or stolen? If, after a risk assessment, it is determined that password protection is enough, then so be it.
Commentary:
There was no mention of encryption in any of the references cited above, so I am assuming there was none used. I am still a little puzzled as to why data which was so aged was involved.
Past Breaches:
Harvard University:
March, 2008 - Harvard University warns graduate students about web hack

11/06/08
Organization:
Harvard University
Contractor/Consultant/Branch:
Harvard Law School
The Legal Services Center*
*"the Legal Services Center is a general practice law firm that provides legal counsel to over 1,200 clients annually, some of whom are very poor, but many of whom can and do make co-payments or pay on a lower-than-market basis for the service they receive. The Center, Harvard Law School’s oldest and largest clinical teaching facility, offers students an opportunity to gain practical legal experience and earn academic credit by handling real cases for real clients under the supervision of Clinical Instructors who are experienced practitioners and mentors." Source: About the Legal Services Center
Location:
Jamaica Plain, Massachusetts
Victims:
Clients
Number Affected:
21,000
Types of Data:
"a variety of client data, including names, Social Security numbers, contact information, financial information, and other personal information"
Breach Description:
"BOSTON (AP) - A computer tape containing data on 21,000 clients of a Harvard Law School legal clinic was lost last month but there is little chance of identity theft, school officials said."
Reference URL:
Harvard Law School Special Notice
Boston Herald
Boston Business Journal
Report Credit:
Harvard Law School
Response:
From the online sources cited above:
NOTICE OF SECURITY BREACH: Harvard Law School hereby gives the following notice to persons who were clients of its Legal Services Center in Jamaica Plain between 1994 and September 23, 2008:
[Evan] This breach concerns information that dates as old as 14 years!? Is there some legal requirement that prohibits the center from destroying information that is no longer used? Do they have a data retention policy? Doesn't seem right.
In our effort to provide clients with the best possible service, the Harvard Law School Legal Services Center ("LSC") has implemented an electronic records system.
The system enables LSC students and supervising attorneys to organize case information and to track the progression of cases.
To ensure that case information is not lost in the event of a power failure or other system issue, Harvard Law School ("HLS") has implemented a protocol for backing-up the data.
[Evan] I could be my usual smart ass here, but I am holding back.
HLS recently discovered that one of the tapes used to back-up the LSC case management system is missing.
The tape was last seen on September 23, 2008.
The missing tape was lost in September while it was being transported from a legal services clinic in Jamaica Plain to the school’s campus in Cambridge, said university spokesman Robb London.
"It was not a case of a hacking (theft)," said London
[Evan] So what? Am I or is he missing the point?
Since discovering its absence, HLS has conducted an exhaustive search, but has not been able to account for the tape.
The missing tape contains a variety of client data, including names, Social Security numbers, contact information, financial information, and other personal information.
[Evan] This seems like information that didn't need to be kept. I can understand keeping recent records, those required by law, and those required in order to conduct business. I don't understand keeping sensitive information dating back as much as 14 years or Social Security numbers post-billing/receiving/reporting.
The tape included Social Security numbers for about 8,000 present and former clients and other types of information on 13,000 other clients.
The missing tape is password-protected, however, and cannot be read without specialized skills and equipment.
[Evan] I think that data disclosure from a lost backup tape is slightly (key word) less probable than from a lost laptop. Password protection is typically not difficult to circumvent, and the "specialized skills and equipment" required to access the information isn't really all that specialized. The fact of the matter is that there is an increased risk of data disclosure which is unnecessary if HLS had used better control.
There are also no marks on the tape that indicate the type of information stored on it.
[Evan] Again, so what? Information security through obscurity ain't information security.
Nevertheless, because of the sensitive nature of the data on the tape, we believe it is important to inform you of its loss.
To this point, there has been no indication that the tape has been acquired by an unauthorized person or that the data has been accessed.
However, because HLS has not yet located the tape, we cannot rule out that possibility.
We therefore recommend that you remain alert for possible fraud and identity theft by reviewing and monitoring your credit and financial account information for unauthorized activity.
Under state law, you may order a "security freeze" on your credit reports as a further precaution.
We will work with anyone who has questions about these steps and will reimburse the fees, if any, for placing a security freeze.
We have also set up a special phone number at LSC to answer questions. The number is 1-.
We are truly sorry for the inconvenience and concern this event may cause.
"While we regret this, we really believe that the risk of access to this data is extremely low," London said.
[Evan] Risk is this case is highly subjective. Again, the risk is unnecessarily increased.
Please be assured that we are taking steps internally in an effort to prevent future incidents of this kind.
[Evan] Like? How about this brand new technology called encryption? Wait! Cryptography has been around for more that 4500 years!
We will let you know if we obtain any additional information suggesting that your personal information has in fact been compromised.
Harvard Law School is contacting clients and running legal notices in newspapers to inform people about the tape loss, London said.
The missing tape was one of six transported each week to Harvard for backup purposes.
The school will have a courier service transport tapes in the future and is paying for credit-monitoring for those whose Social Security numbers were on the lost tape.
[Evan] Courier services lose tapes too. So a good information security type, defense in depth type, question to ask would be; what prevents the disclosure of information if a tape is lost or stolen? If, after a risk assessment, it is determined that password protection is enough, then so be it.
Commentary:
There was no mention of encryption in any of the references cited above, so I am assuming there was none used. I am still a little puzzled as to why data which was so aged was involved.
Past Breaches:
Harvard University:
March, 2008 - Harvard University warns graduate students about web hack
Comments