Stolen University of Pittsburgh laptop affects alumni
Technorati Tag: Security Breach
Date Reported:
9/9/08
Organization:
University of Pittsburgh
Contractor/Consultant/Branch:
College of Business Administration
Victims:
Alumni
Number Affected:
Unknown
Types of Data:
"personal information including their names and Social Security numbers"
Breach Description:
"University of Pittsburgh and city police are investigating the theft of a laptop computer with the Social Security numbers of alumni from the College of Business Administration."
Reference URL:
Pittsburgh Tribune-Review
Associated Press via Lebanon Daily News
Pittsburgh Post-Gazette
Report Credit:
Bill Zlatos, Pittsburgh Tribune-Review
Response:
From the online sources cited above:
College of Business Administration graduates at the University of Pittsburgh have been notified that a laptop containing their personal information including their names and Social Security numbers was stolen last month.
[Evan] None of the news reports cited above mention the use of encryption on the laptop. I will assume that this laptop was not encrypted. In this day, is there a valid excuse for not encrypting laptops that are (or may be) used to access and/or store sensitive, confidential information?
Citing an ongoing police investigation, Pitt officials today would not say how many alumni of the undergraduate program were affected.
"We're looking at various items of evidence, and we hope to apprehend the thief because the Pitt police are investigating vigorously," said university spokesman Robert Hill
[Evan] I hope that the Pitt police are successful. Unfortunately chances are not good, statistically speaking.
The laptop, stolen from Mervis Hall on Aug. 11, was being used by an employee to conduct surveys of alumni that are used in college rankings.
[Evan] This might be the most puzzling statement in the news reports. What purpose do Social Security numbers serve in conducting surveys?!
Pitt spokesman Robert Hill said the employee violated a university policy, enacted in 2005, regarding storage of sensitive data.
"The survey was legitimate. What was not legitimate was storing Social Security numbers after the university established a policy," Mr. Hill said. "That information should have been purged from the laptop."
[Evan] Why did the employee need access to Social Security numbers in the first place? Establishing a policy to prohibit such use of information is fine, but we (information security personnel) cannot always count on personnel to read and comply with policy. We (information security personnel) use other technical, physical and administrative controls in an attempt to prevent/prohibit policy violations like this. In my experience, regular training and awareness can significantly improve policy compliance.
Only offices such as the registrar that have a need for such information are allowed to store it, he said.
[Evan] Who is allowed to access "such information"? People that are allowed to access "such information" are obviously more likely to store it.
Mr. Hill said there is no indication the thief knew the data was on the laptop and no indication that any attempt to use it has been made.
He said the graduates were notified beginning Aug. 27 as a precaution.
Mr. Hill would not say if the individual had been sanctioned.
Commentary:
Lost and stolen laptops containing sensitive confidential information are frustrating. People that collect, create and store sensitive confidential information and don't know how to protect it is also frustrating.
Past Breaches:
Unknown
Date Reported:9/9/08
Organization:
University of Pittsburgh
Contractor/Consultant/Branch:
College of Business Administration
Victims:
Alumni
Number Affected:
Unknown
Types of Data:
"personal information including their names and Social Security numbers"
Breach Description:
"University of Pittsburgh and city police are investigating the theft of a laptop computer with the Social Security numbers of alumni from the College of Business Administration."
Reference URL:
Pittsburgh Tribune-Review
Associated Press via Lebanon Daily News
Pittsburgh Post-Gazette
Report Credit:
Bill Zlatos, Pittsburgh Tribune-Review
Response:
From the online sources cited above:
College of Business Administration graduates at the University of Pittsburgh have been notified that a laptop containing their personal information including their names and Social Security numbers was stolen last month.
[Evan] None of the news reports cited above mention the use of encryption on the laptop. I will assume that this laptop was not encrypted. In this day, is there a valid excuse for not encrypting laptops that are (or may be) used to access and/or store sensitive, confidential information?
Citing an ongoing police investigation, Pitt officials today would not say how many alumni of the undergraduate program were affected.
"We're looking at various items of evidence, and we hope to apprehend the thief because the Pitt police are investigating vigorously," said university spokesman Robert Hill
[Evan] I hope that the Pitt police are successful. Unfortunately chances are not good, statistically speaking.
The laptop, stolen from Mervis Hall on Aug. 11, was being used by an employee to conduct surveys of alumni that are used in college rankings.
[Evan] This might be the most puzzling statement in the news reports. What purpose do Social Security numbers serve in conducting surveys?!
Pitt spokesman Robert Hill said the employee violated a university policy, enacted in 2005, regarding storage of sensitive data.
"The survey was legitimate. What was not legitimate was storing Social Security numbers after the university established a policy," Mr. Hill said. "That information should have been purged from the laptop."
[Evan] Why did the employee need access to Social Security numbers in the first place? Establishing a policy to prohibit such use of information is fine, but we (information security personnel) cannot always count on personnel to read and comply with policy. We (information security personnel) use other technical, physical and administrative controls in an attempt to prevent/prohibit policy violations like this. In my experience, regular training and awareness can significantly improve policy compliance.
Only offices such as the registrar that have a need for such information are allowed to store it, he said.
[Evan] Who is allowed to access "such information"? People that are allowed to access "such information" are obviously more likely to store it.
Mr. Hill said there is no indication the thief knew the data was on the laptop and no indication that any attempt to use it has been made.
He said the graduates were notified beginning Aug. 27 as a precaution.
Mr. Hill would not say if the individual had been sanctioned.
Commentary:
Lost and stolen laptops containing sensitive confidential information are frustrating. People that collect, create and store sensitive confidential information and don't know how to protect it is also frustrating.
Past Breaches:
Unknown
Posts Atom 1.0
Comments