Desktop computer stolen from CCNY affects more than 7,000 students

|

Date Reported:
9/7/10

Organization:
The City University of New York

Contractor/Consultant/Branch:
City College of New York

Location:
New York, New York

Victims:
Students

Number Affected:
"More than 7,000"

Types of Data:
Personal information, including "names and Social Security numbers".

Breach Description:
"Red-faced officials at City College of New York, one of the colleges of The City University of New York, sent warning letters to 7,000 students telling them a computer containing personal information - including their names and Social Security numbers - had been stolen a few weeks ago."

Reference URL:
WABC-TV ABC Eyewitness News
NYDailyNews.com

Report Credit:
Jim Dolan, WABC-TV ABC Eyewitness News

Response:
From the online sources cited above:

CUNY is flunking security.
[Evan] I didn't say it, the Daily News staff writer did ;)

This school year is getting off to a bit of a rough start for thousands of CUNY students.

More than 7,000 of them received letters saying their names and Social Security numbers had been stolen.

Now, there is growing concern about overall security at the university.
[Evan] Keyword "concern".  One of the motivations for writing the Breach Blog is to raise concern (or awareness) for the consequences of poor information security.  I/we wish more people had sufficient concern prior to bad things happening, but we can only do what we can do.  People in general are motivated by money right?  How about this.  Some studies claim that a breach costs an average of 7x more than proactive information security.

It was one computer that was stolen, but it contained the names and information of the 7,000 City College of New York students.

The computer was password protected, but it's out there, and that has left students and their parents wondering who stole it and what they intend to do with it.
[Evan] The mention of password protection may convince some people that the information is/was sufficiently protection.  The fact of the matter is that password protection (likely Windows) is NOT sufficient in the protection of data stored on the disk.  Password protection is easily bypassed in less than the time it takes me to write this sentence.

Bianca Arroyo could not believe what she was reading.

"I called my son right away and told him something is wrong, something happened in the school, someone stole someone's computer with a database with the personal information," Arroyo said.
[Evan] Don't mess with moms!

Arroyo got a letter on Saturday from CCNY, where her son is a junior.

"I'm worried, you know, because the situation with things happening nowadays with identity theft that later on that something could happen to my son, and now he'd have to be the one responsible for it," Arroyo said.

The letter said that if anyone had questions regarding the matter to contact an assistant vice president of the school at , but students said no one answered the number provided.
[Evan] Nice.  Call us if you have questions so that we can ignore your phone calls.

"I've gone to the school for the past two years, I don't want anyone looking at my information," said one student.

"Why was that all on one computer? It's a good question right?" said another student.
[Evan] That is a great question!  Even better, why was all this sensitive information on this (poorly secured) computer?

"This time it's the computer, but who knows what's next," another student said.

"If that can happen, anything can happen in the school," she said. "There's no security, the way it should be."
[Evan] The part of this comment that I find interesting is this student's perception that "There's no security, the way it should be."  Whether there is security or not, this perception is not one that I would want anyone to have about my security.

A spokesperson for the school says there is no evidence yet that anyone's personal information has been compromised.

However, the computer was only stolen a few weeks ago, so it may be too soon to tell.

The school says it is making efforts to ensure that computers that contain this kind of information are better protected in the future.
[Evan] Like how?  If I were a student of this school (information owner), I would demand to know more.

Commentary:
OK, what would have been a good way to prevent a breach like this one?  Here are some simple ideas off the top of my head.

First, we could prevent sensitive information like this from being accessed from or stored on client (desktop and laptop) computers.  

Second, we could ensure that computers from which sensitive information may be accessed and/or on which sensitive information may be stored are secured with full disk encryption.

Third, improve physical security controls to prevent and detect access to and theft from offices and other restricted areas.

You can probably come up with some more, but you get the gist of it.

Past Breaches:
City University of New York (CUNY):
November, 2007 - Stolen CUNY laptop exposes 23,000 students

Posted by Evan Francen at 9/8/2010 10:40 AM
Categories: Stolen Computer, City University of New York, City College of New York
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment