Portland Community College notifies victims of lost flash drive
|
Date Reported:
8/12/10
Organization:
State of Oregon
Contractor/Consultant/Branch:
Oregon Department of Human Services
Portland Community College
Oregon Food Stamp Employment Transition Program, also known as OFSET
Location:
One or more campuses
Victims:
"Multnomah County participants in the Oregon Food Stamp Employment Transition Program"
Number Affected:
"an estimated 2,900"
Types of Data:
Personal information including "names and Social Security numbers"
Breach Description:
"A car owned by an employee of Portland Community College was broken into on Thursday, Aug 5. Among the stolen items was a data-storage device containing the names and Social Security numbers of an estimated 2,900 Multnomah County participants in the Oregon Food Stamp Employment Transition Program, also known as OFSET."
Reference URL:
Portland Community College Announcement
The Oregonian
Portland Community College Incident Response
Report Credit:
Portland Community College
Response:
From the online sources cited above:
On Aug. 5, a PCC employee reported that a car had been broken into and items were stolen.
The employee had been transferring information from one PCC work location to the other.
[Evan] Not by any means a good excuse for this breach.
One of items taken was a data storage device that held the names and Social Security numbers of participants in the Oregon Food Stamp Employment and Transition Program.
[Evan] Breaches resulting from the theft of media and/or computing devices from vehicles is way too common. You would think that people would get it by now. The "data storage device" referred to is a flash drive. If only there was a way to encrypt data on a flash drive. Wait! There is.
PCC recently became aware of this matter and has moved quickly to notify those concerned, even though there is no indication at this point that any of the personal information in question has been accessed by anyone outside the college.
[Evan] What do you suppose most people do when they find a flash drive? They connect it to their computer because they are curious about its contents. There have been multiple studies to support this. We can almost be certain that these files will be accessed. The question then becomes; what will the person do with the data?
We have notified participants in the Oregon Food Stamp Employment and Transition Program who we identify as potentially impacted by this incident and offered them free online credit monitoring services in an effort to prevent them from becoming a victim of identity theft.
Copy of letter that was delivered to each impacted participant [pdf]
To assist in protecting the identities of those affected, PCC has offered, at no cost, for one year, Debix Credit Protection.
Frequently Asked Questions:
Why is my personal information at risk?
The employee whose car was broken into was working at two PCC locations and was transferring information from one site to the other when the theft occurred. Among the stolen items was a data-storage device containing the names and Social Security numbers of an estimated 2,900 participants in the Oregon Food Stamp Employment Transition Program.
There is no indication at this point that any of the personal information in question has been accessed by anyone outside the college. To err on the side of caution, we’re encouraging affected individuals to consider taking appropriate precautions.
Were addresses and phone numbers in the student data files?
No.
[Evan] Addresses and phone numbers for most of the people will be pretty easy to find in phone books and/or other directories.
Does PCC have policies in place to try and prevent this sort of data loss?
PCC’s Information Security Policies can be found here: www.pcc.edu/resources/tss/info-security/
[Evan] I took a look at their policies. If this is all that they have, then they are missing quite a bit. Let's hope that there's more somewhere. According to the policies posted online, the behavior that led to this breach was not in violation of policy. Of course, FRSecure would be glad to help PCC design and implement a thorough information security program ;).
Commentary:
The use of flash drives can be dangerous without taking the proper precautions. Only those people who have a business justified business need to use removable media should be allowed to do so. Policy should state what acceptable use is for removable media including when removable media may be used, what data may be stored on removable media, and under what conditions. Once policy is defined, technical controls should be deployed and personnel should be trained. Of the 50 or so information security assessments we have done in the past 12 months, I would say around 50% of the organizations did not have adequate controls around removable media use. If you are in the same boat, it's time to do something about it!
Past Breaches:
Unknown
Posted by Evan Francen at 8/18/2010 7:07 PM 
Categories: State of Oregon, Portland Community College, Stolen Media
Categories: State of Oregon, Portland Community College, Stolen Media
Posts Atom 1.0
Comments