Laptop stolen from University of Oregon affects youth with disabilities
Technorati Tag: Security Breach
Date Reported:
1/13/09
Organization:
State of Oregon
Contractor/Consultant/Branch:
Oregon Department of Human Services
Office of Vocational Rehabilitation Services
University of Oregon
Location:
Eugene, Oregon
Victims:
Youth Transition Program ("YTP") participants
Number Affected:
Unknown
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"A laptop computer with the names and social security numbers of disabled youth in a state employment program was stolen in October from a University of Oregon employee, the university announced today."
Reference URL:
University of Oregon Media Relations
The Oregonian
Report Credit:
University of Oregon Media Relations
Response:
From the online sources cited above:
EUGENE, Ore. -- (Jan. 13, 2009) – A laptop computer containing data files for Youth Transition Program (YTP) participants was stolen from a University of Oregon employee near the end of October, and some of those files contained the names and social security numbers of YTP participants.
[Evan] End of October? This is January.
The theft appeared to be random and the computer was password protected.
There is no indication that the thief has been able to access any of the computer’s files.
[Evan] An idiot could access the computer's files if the only thing stopping them is the operating system password. I guess we can hope that the thief has less intelligence than an idiot.
The YTP is a collaborative transition program that serves more than 1,200 youths with disabilities statewide in Oregon.
The program provides career planning and employment services to individuals ages 17 to 21 who have a variety of disabilities including learning disabilities, attention deficit disorder, emotional disabilities and mental retardation.
[Evan] Ugh, how irritating. These youth are perfect victims for identity theft and thanks to poor information security practices on the part of the University of Oregon, they are one step closer than they should be.
The program is run by the Oregon Department of Human Services, Office of Vocational Rehabilitation Services (OVRS).
[Evan] The Oregon Department of Human Services and the Office of Vocational Rehabilitation Services both have a responsibility to ensure that the third-parties performing work on their behalf follow good information security practices. Storing confidential information on a poorly secured laptop computer is not a good information security practice, and it doesn't (shouldn't) take an information security professional to tell you so. At some point, you need to use a little common sense.
However, the university provides evaluation services for OVRS to help the agency determine which programs are most effective.
The university has sent notifications letters to the participants whose personal information may have been on the computer, but some of those letters have been returned with no forwarding addresses.
Participants who were involved with the YTP program from 2004 to 2007 are urged to monitor their financial accounts and credit reports for suspicious activity.
Any suspected identity theft should be reported to law enforcement agencies, including the Federal Trade Commission.
“Keeping personal information private and safe is a high priority at the university,” said Rich Linton, UO vice president for research and graduate studies. “This instance is very unfortunate and we’ve already taken steps to help ensure that such criminal acts can’t lead to potential compromises of personal information.”
[Evan] This instance is more than "very unfortunate". The word negligent comes to mind.
The university has already made several changes that will help to insure that this situation does not occur again.
This includes no longer collecting the social security numbers of YTP participants, storing YTP data on an encrypted web-based system, and requiring employees involved with YTP to delete records stored on individual laptop computers.
[Evan] How about encrypting laptops and other mobile devices?!?! The steps mentioned by the school are all good, but there should be more done to protect information still residing on laptops. A defense-in-depth approach (a well-known information security concept) would probably call for better protection on laptops.
Questions from YTP program participants from 2004 through 2007 may be directed to the university’s Office for Protection of Human Subjects at .
Commentary:
Throughout this posting, I am assuming that there is no encryption. This being said, I am still baffled by what appears to be a reluctance on the part of some organizations to use encryption. Is it a lack of understanding? Do people think it's too complicated and hard to use? I'm not sure really.
If you can't protect it, don't collect it.
Past Breaches:
Unknown
Date Reported:1/13/09
Organization:
State of Oregon
Contractor/Consultant/Branch:
Oregon Department of Human Services
Office of Vocational Rehabilitation Services
University of Oregon
Location:
Eugene, Oregon
Victims:
Youth Transition Program ("YTP") participants
Number Affected:
Unknown
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"A laptop computer with the names and social security numbers of disabled youth in a state employment program was stolen in October from a University of Oregon employee, the university announced today."
Reference URL:
University of Oregon Media Relations
The Oregonian
Report Credit:
University of Oregon Media Relations
Response:
From the online sources cited above:
EUGENE, Ore. -- (Jan. 13, 2009) – A laptop computer containing data files for Youth Transition Program (YTP) participants was stolen from a University of Oregon employee near the end of October, and some of those files contained the names and social security numbers of YTP participants.
[Evan] End of October? This is January.
The theft appeared to be random and the computer was password protected.
There is no indication that the thief has been able to access any of the computer’s files.
[Evan] An idiot could access the computer's files if the only thing stopping them is the operating system password. I guess we can hope that the thief has less intelligence than an idiot.
The YTP is a collaborative transition program that serves more than 1,200 youths with disabilities statewide in Oregon.
The program provides career planning and employment services to individuals ages 17 to 21 who have a variety of disabilities including learning disabilities, attention deficit disorder, emotional disabilities and mental retardation.
[Evan] Ugh, how irritating. These youth are perfect victims for identity theft and thanks to poor information security practices on the part of the University of Oregon, they are one step closer than they should be.
The program is run by the Oregon Department of Human Services, Office of Vocational Rehabilitation Services (OVRS).
[Evan] The Oregon Department of Human Services and the Office of Vocational Rehabilitation Services both have a responsibility to ensure that the third-parties performing work on their behalf follow good information security practices. Storing confidential information on a poorly secured laptop computer is not a good information security practice, and it doesn't (shouldn't) take an information security professional to tell you so. At some point, you need to use a little common sense.
However, the university provides evaluation services for OVRS to help the agency determine which programs are most effective.
The university has sent notifications letters to the participants whose personal information may have been on the computer, but some of those letters have been returned with no forwarding addresses.
Participants who were involved with the YTP program from 2004 to 2007 are urged to monitor their financial accounts and credit reports for suspicious activity.
Any suspected identity theft should be reported to law enforcement agencies, including the Federal Trade Commission.
“Keeping personal information private and safe is a high priority at the university,” said Rich Linton, UO vice president for research and graduate studies. “This instance is very unfortunate and we’ve already taken steps to help ensure that such criminal acts can’t lead to potential compromises of personal information.”
[Evan] This instance is more than "very unfortunate". The word negligent comes to mind.
The university has already made several changes that will help to insure that this situation does not occur again.
This includes no longer collecting the social security numbers of YTP participants, storing YTP data on an encrypted web-based system, and requiring employees involved with YTP to delete records stored on individual laptop computers.
[Evan] How about encrypting laptops and other mobile devices?!?! The steps mentioned by the school are all good, but there should be more done to protect information still residing on laptops. A defense-in-depth approach (a well-known information security concept) would probably call for better protection on laptops.
Questions from YTP program participants from 2004 through 2007 may be directed to the university’s Office for Protection of Human Subjects at .
Commentary:
Throughout this posting, I am assuming that there is no encryption. This being said, I am still baffled by what appears to be a reluctance on the part of some organizations to use encryption. Is it a lack of understanding? Do people think it's too complicated and hard to use? I'm not sure really.
If you can't protect it, don't collect it.
Past Breaches:
Unknown
Posted by Evan Francen at 1/14/2009 12:04 PM 
Categories: University of Oregon, State of Oregon, Stolen Laptop
Categories: University of Oregon, State of Oregon, Stolen Laptop
Posts Atom 1.0
Comments