Yale University Exposes 10,200 in Stolen Computers
Technorati Tag: Security Breach
Date Reported:
8/8/07
Organization:
Yale University
Contractor/Consultant:
None
Number Affected:
10,200
Types of Data:
Name and Social Security number
Breach Description:
Two computers were reported stolen from the Yale College Dean's Office on July 17th that contained names and Social Security numbers on roughly 10,000 current and former students and approximately 200 staff members.
Reference URL:
http://www.yaledailynews.com/articles/view/21093
http://security.yale.edu/goodmeasures/physical/loststolen.html
Report Credit:
Steven Siegel, Staff Reporter for Yale Daily News
Response:
From the online articles listed above:
Have you ever heard this one before? "The computers were password-protected, and were probably stolen to be sold rather than for the data stored on them, University officials said."
[Comfyllama] Password protection means little more than nothing. Password protection is potentially circumvented in seconds. Why steal a computer for the hardware ($200-2,000) rather than the information (~$20-100/record * 10,200 = $204,000 - 1,020,000)! This information may not be common knowledge for the common criminal, but it is just a matter of time. The only way to ensure that the data is safe is through encryption, period.
“The University does not believe that this incident presents a significant danger of identity theft because the crime was almost certainly aimed at obtaining hardware for sale — not at exploiting the data that were on the computers,” the University said in a statement
The lost files had not been maintained for any purpose, Conroy said, but were overlooked in the University’s efforts at reducing the amount of personal information it holds.
Commentary:
A well-respected school like Yale should know better. Question #1, why was this data on a personal computer in the first place? Question #2, why is this type of data stored unencrypted? Question #3, why insult the intelligence of victims by assuring them that there is little risk based on password protection and low criminal intelligence?
Past Breaches:
None since August 2007
Date Reported:
8/8/07
Organization:
Yale University
Contractor/Consultant:
None
Number Affected:
10,200
Types of Data:
Name and Social Security number
Breach Description:
Two computers were reported stolen from the Yale College Dean's Office on July 17th that contained names and Social Security numbers on roughly 10,000 current and former students and approximately 200 staff members.
Reference URL:
http://www.yaledailynews.com/articles/view/21093
http://security.yale.edu/goodmeasures/physical/loststolen.html
Report Credit:
Steven Siegel, Staff Reporter for Yale Daily News
Response:
From the online articles listed above:
Have you ever heard this one before? "The computers were password-protected, and were probably stolen to be sold rather than for the data stored on them, University officials said."
[Comfyllama] Password protection means little more than nothing. Password protection is potentially circumvented in seconds. Why steal a computer for the hardware ($200-2,000) rather than the information (~$20-100/record * 10,200 = $204,000 - 1,020,000)! This information may not be common knowledge for the common criminal, but it is just a matter of time. The only way to ensure that the data is safe is through encryption, period.
“The University does not believe that this incident presents a significant danger of identity theft because the crime was almost certainly aimed at obtaining hardware for sale — not at exploiting the data that were on the computers,” the University said in a statement
The lost files had not been maintained for any purpose, Conroy said, but were overlooked in the University’s efforts at reducing the amount of personal information it holds.
Commentary:
A well-respected school like Yale should know better. Question #1, why was this data on a personal computer in the first place? Question #2, why is this type of data stored unencrypted? Question #3, why insult the intelligence of victims by assuring them that there is little risk based on password protection and low criminal intelligence?
Past Breaches:
None since August 2007
Posts Atom 1.0
Comments