Laptop stolen from University of Florida contains personal information for more than 8,300
|
Date Reported:
9/1/10
Organization:
University of Florida
Contractor/Consultant/Branch:
P.K. Yonge Developmental Research School
Location:
San Francisco, California
Victims:
"PKY personnel, volunteers and students for the academic years 2000-2010"
Number Affected:
"more than 8,300"
Types of Data:
"combination of name, social security number and/or driver license number, address, date of birth, phone number(s) and/or salary"
Breach Description:
"A laptop containing the personal information of more than 8,300 current and former employees and students of P.K. Yonge Development Research School was stolen last month in San Francisco, the University of Florida announced Tuesday."
Reference URL:
University of Florida "P.K. Yonge Data Breach" site
Orlando Sentinel
The Gainesville Sun
The Miami Herald
Report Credit:
University of Florida, by way of The Office of Inadequate Security
Response:
From the online sources cited above:
GAINESVILLE, Fla. — The personal information of more than 8,300 current and former students and employees of P.K. Yonge Development Research School was on a laptop computer stolen last month.
[Evan] There are multiple poor information security practices leading to this breach. #1 - Personal information was permitted to be stored on a mobile device. #2 - The mobile device was not adequately protected. #3 - The mobile device was left unattended in plain sight (in a rental car). If any one of these three poor practices were actually a good practice, we probably wouldn't have a breach.
P.K. Yonge is a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education.
The computer files contained employee payroll, employee parking permit and student information dating back to 2000 and included names, Social Security numbers and, in some cases, Florida driver’s license numbers.
[Evan] Generally speaking, it's not a good idea to keep this data on a laptop, is it?
Officials have confirmed that no student academic or medical records were on the computer.
Also, no credit card information was on the computer.
This week, school officials mailed letters to 841 people explaining that their information was included in the breach.
Additional letters will be mailed next week once names and addresses are matched with Social Security and driver’s license numbers.
School officials have determined contact information may not be available for everyone with information on the computer.
[Evan] Hopefully people won't find out through other means; like fraud.
“We regret that this incident occurred and are working diligently to notify the people who may be impacted by this theft,” P.K. Yonge Director Fran Vandiver said.
The laptop computer was stolen July 23 from a P.K. Yonge employee’s rental car in San Francisco.
The theft was reported to California police and later to the University of Florida Police Department.
[Evan] Ideally, the first party contacted would be the school's information security incident responders. The police are not always the best place to start.
The computer files were protected with passwords, but school officials have no way of knowing if the information was accessed.
[Evan] Passwords are nearly useless at protecting the information from a determined bad guy (or gal). If the data were not encrypted, we should consider it disclosed.
University and school officials are taking steps to prevent a similar situation in the future.
P.K. Yonge is installing protective encryption software on laptops that contain restricted data, and the university continues to review and improve its policies and procedures for protecting information.
[Evan] Later is better than never. Reactive information security can get spendy, especially if you encounter a breach. Why does it take a breach to wake people up? P.K. Yonge can hardly claim that they didn't know any better!
“Employees and students have entrusted us with their personal information, and we take that responsibility seriously,” said Elias Eldayrie, UF’s chief information officer. “We are committed, as always, to continuous improvement and doing everything that we can to protect university data.”
People who believe their information may have been on the computer should take appropriate precautions to safeguard it.
[Evan] What good is it for people "take appropriate precautions to safeguard" their data, when organizations continually lose control of it?
Learn about the steps to take to reduce the risk of fraud and read the available information on this privacy incident online at: http://privacy.ufl.edu/incidents/.
Anyone with questions about this breach should call the UF Privacy Office Hotline at 1- until Sept. 6. Starting Sept. 7, all callers should use 1-.
Commentary:
Well our friend(s) at the Office of Inadequate Security is certainly correct, I am frustrated. There should be NO reason for breaches like this anymore, yet we read about them all of the time. If you want to give up your own personal information go right ahead, but when you abandon good information security principles and expose other people, it miffs me. The University of Florida must be getting pretty good at responding to data breaches with all of the practice they've had. This is the sixth (6th) breach from the school reported on The Breach Blog alone.
Past Breaches:
University of Florida - Numerous (5 others) between November, 2007 - Present
Posts Atom 1.0
Comments