External hard drive stolen from Ohio University
Technorati Tag: Security Breach
Date Reported:
12/24/08
Organization:
Ohio University
Contractor/Consultant/Branch:
Ohio University-Chillicothe
Ohio University-Chillicothe Health and Wellness Center
Location:
Chillicothe, Ohio
Victims:
"current and former members"
Number Affected:
38
Types of Data:
Personal information, including Social Security numbers
Breach Description:
"Thirty-eight current and former members of the Ohio University-Chillicothe Health & Wellness Center had some personal information stored on a computer hard drive stolen from the university, officials reported Tuesday."
Reference URL:
Chillicothe Gazette
Report Credit:
Chillicothe Gazette Staff
Response:
From the online source cited above:
Thirty-eight current and former members of the Ohio University-Chillicothe Health & Wellness Center had some personal information stored on a computer hard drive stolen from the university, officials reported Tuesday.
[Evan] Although this breach only affects a small number of people, there are still some very important lessons to be learned.
The information was maintained on a single, stand-alone computer utilizing specialized software.
[Evan] We don't know what the "specialized software" is. I always feel a little uncomfortable when I read about "specialized software" represented as a protection or control. When I think of "specialized software", I think of software designed for a specific purpose or software designed to carry out a specific task. Specialized software doesn't necessarily equate to secure in my mind.
Without this specialized software, it would be difficult to read the information, university officials said.
[Evan] Is this "specialized software" difficult to acquire or use? If not, then why would we care?
OU-C has attempted to contact the individuals whose information was on the drive, including Social Security numbers, to inform them of the theft.
OU-C spokesman Jack Jeffrey said there is no indication this information has been used by anyone or otherwise compromised.
However, to protect individuals from potential identity theft, those individuals whose Social Security numbers were on the external hard drive are being offered, at no cost, credit monitoring service with Equifax for one year.
[Evan] We know that "credit monitoring" is a post-incident, detective control. A person will only be alerted to fraud after it has occurred, right? If a person doesn't continue with the credit monitoring (at his/her own expense) after the year has expired, then what? There is still the problem of potential unauthorized disclosure (and use?) of sensitive information (Social Security numbers).
"We apologize for any trouble and inconvenience this may have caused and are taking steps to address this situation," Dean Richard Bebee said.
The external hard drive, which was used as a back-up data-storage measure, was discovered missing Dec. 9.
[Evan] Backups are obviously important to protect data from loss, but the confidentiality of the data on backup media needs to adequately taken into account. Backup media is often mobile (as in the case of an external hard drive) and good security personnel should account for loss of the media. Many of us chose to encrypt the data on the media.
Steps were taken to determine what the actual information on the device was, and OU-C officials worked with information technology security experts at the university.
Updated university policy dictates that Social Security numbers no longer are collected for identification purposes.
Anyone who thinks he or she has been a victim of fraud should contact their local law enforcement agency.
Individuals with further questions are asked to call OU-C at 774-7200 during business hours.
The university will be closed for the holidays Thursday and Friday for Christmas, and Thursday, Jan. 1 for New Year's Day.
Commentary:
There are still far more organizations that do not account for lost/stolen backup media in their information security programs then there are that do. Hopefully your organization is included in the latter as opposed the the former.
Past Breaches:
Ohio University:
July, 2008 - The Centers for Osteopathic Research and Education exposure
Date Reported:12/24/08
Organization:
Ohio University
Contractor/Consultant/Branch:
Ohio University-Chillicothe
Ohio University-Chillicothe Health and Wellness Center
Location:
Chillicothe, Ohio
Victims:
"current and former members"
Number Affected:
38
Types of Data:
Personal information, including Social Security numbers
Breach Description:
"Thirty-eight current and former members of the Ohio University-Chillicothe Health & Wellness Center had some personal information stored on a computer hard drive stolen from the university, officials reported Tuesday."
Reference URL:
Chillicothe Gazette
Report Credit:
Chillicothe Gazette Staff
Response:
From the online source cited above:
Thirty-eight current and former members of the Ohio University-Chillicothe Health & Wellness Center had some personal information stored on a computer hard drive stolen from the university, officials reported Tuesday.
[Evan] Although this breach only affects a small number of people, there are still some very important lessons to be learned.
The information was maintained on a single, stand-alone computer utilizing specialized software.
[Evan] We don't know what the "specialized software" is. I always feel a little uncomfortable when I read about "specialized software" represented as a protection or control. When I think of "specialized software", I think of software designed for a specific purpose or software designed to carry out a specific task. Specialized software doesn't necessarily equate to secure in my mind.
Without this specialized software, it would be difficult to read the information, university officials said.
[Evan] Is this "specialized software" difficult to acquire or use? If not, then why would we care?
OU-C has attempted to contact the individuals whose information was on the drive, including Social Security numbers, to inform them of the theft.
OU-C spokesman Jack Jeffrey said there is no indication this information has been used by anyone or otherwise compromised.
However, to protect individuals from potential identity theft, those individuals whose Social Security numbers were on the external hard drive are being offered, at no cost, credit monitoring service with Equifax for one year.
[Evan] We know that "credit monitoring" is a post-incident, detective control. A person will only be alerted to fraud after it has occurred, right? If a person doesn't continue with the credit monitoring (at his/her own expense) after the year has expired, then what? There is still the problem of potential unauthorized disclosure (and use?) of sensitive information (Social Security numbers).
"We apologize for any trouble and inconvenience this may have caused and are taking steps to address this situation," Dean Richard Bebee said.
The external hard drive, which was used as a back-up data-storage measure, was discovered missing Dec. 9.
[Evan] Backups are obviously important to protect data from loss, but the confidentiality of the data on backup media needs to adequately taken into account. Backup media is often mobile (as in the case of an external hard drive) and good security personnel should account for loss of the media. Many of us chose to encrypt the data on the media.
Steps were taken to determine what the actual information on the device was, and OU-C officials worked with information technology security experts at the university.
Updated university policy dictates that Social Security numbers no longer are collected for identification purposes.
Anyone who thinks he or she has been a victim of fraud should contact their local law enforcement agency.
Individuals with further questions are asked to call OU-C at 774-7200 during business hours.
The university will be closed for the holidays Thursday and Friday for Christmas, and Thursday, Jan. 1 for New Year's Day.
Commentary:
There are still far more organizations that do not account for lost/stolen backup media in their information security programs then there are that do. Hopefully your organization is included in the latter as opposed the the former.
Past Breaches:
Ohio University:
July, 2008 - The Centers for Osteopathic Research and Education exposure
Posts Atom 1.0
Comments