Sinclair Community College employee information exposed for 18+ months
Technorati Tag: Security Breach
Date Reported:
11/10/08
Organization:
Sinclair Community College
Contractor/Consultant/Branch:
None
Location:
Dayton, Ohio
Victims:
Employees
Number Affected:
"about 958"
Types of Data:
"names and Social Security numbers"
Breach Description:
"DAYTON - Sinclair Community College on Monday, Nov. 10, told employees that the names and Social Security numbers of approximately 958 current and former employees were in a file folder that was visible to Web search engines."
Reference URL:
Dayton Business Journal
Dayton Daily News
Chillicothe Gazette
Report Credit:
Dayton Business Journal
Response:
From the online sources cited above:
More than 950 employees at Sinclair Community College had their social security numbers accidentally exposed online for more than a year, officials announced Monday.
The employee data had been made available online beginning February 2007 because of a human error from a Sinclair employee who accidentally made the information visible online.
The sensitive file, an Excel spreadsheet, was placed in a folder on a Sinclair computer by an employee who "did not realize that the contents of that folder were technically check marked as being visible to the outside world," (Sinclair President Steven) Johnson said.
[Evan] Did the employee "not realize" because the employee was poorly trained and/or not made aware? Employees who are responsible for working with sensitive information must be trained on the proper handling and must be made constantly aware of potential risks in using it. I am a big proponent of specialized information security training and awareness programs.
The data - for 958 Sinclair workers who were employed between July 2000 and November 2001 - was not published or displayed, but available through Web searches until it was removed last week.
[Evan] A slight play on words. The information was published and was displayed, just not as a web page (or a link from a web page).
Sinclair President Steven Johnson said the information was found last Tuesday by a Sinclair employee who had been searching her own name online.
Within 15 minutes, she reported the data and it was removed immediately, Johnson said.
By the end of the week, the college had contacted Yahoo! and Google to remove any traces or pictures of the data left behind.
"We have no reason to believe it's ever been accessed, other than the employee who serendipitously accessed it," Johnson said.
[Evan] Seren what? I am confused enough without the big words.
Sinclair has received no reports of identity theft.
[Evan] Who would know to report it to Sinclair?
The relative value of the data is low because the file contained names and Social Security numbers, but not addresses or dates of birth, Johnson said.
[Evan] What?! First the big words and now nonsense. I hope this was just a misquote.
Sinclair sent letters to all employees, including those affected and not affected, to explain the situation.
Those letters should begin arriving Monday, along with information on a two-year insurance and credit protection program Sinclair contracted for the affected employees through Equifax.
The college will pay roughly $80 per person for the coverage.
[Evan] Math time. $80 x ~950 = $76,000. Add the other costs involved with the response (investigation, notification, legal, reputation, etc.) and it's easy to see how costly a breach can be. Obviously spending $76,000+ on proactive measures is preferred. $76,000 would buy 337 hours of our services at an hourly rate (much less if project-based). We could do one heckuva lot with 337 hours!
"We wanted to show our employees how committed we are to their protection," Johnson said.
Of the 958 employees, about 600 are current employees of the college, about 300 have moved to different places of employment and some are deceased, Johnson said.
"I am confident that this was an accident - inadvertent, isolated human error that has been contained and controlled," Johnson said.
[Evan] Logic would tell me that "inadvertent, isolated human errors" are more common when the humans are not well trained or informed.
The employee who made the error has no previous disciplinary actions. It remains an open human resources matter, Johnson said.
The college has set up a hotline for more information about the exposed data at . It will be staffed by school human resources employees from 8 a.m. to 8 p.m. daily.
Commentary:
Seems like there have been a slew of post-secondary school breaches of late. I appreciate the fact that the school president addressed the media personally in regards to this breach, even if I disagree with some of what he supposedly said. The school is offering two years of "credit" protection, which is longer that the semi-standard one year. You may know how I feel about credit protection, if not drop me a line.
Past Breaches:
Unknown
Date Reported:11/10/08
Organization:
Sinclair Community College
Contractor/Consultant/Branch:
None
Location:
Dayton, Ohio
Victims:
Employees
Number Affected:
"about 958"
Types of Data:
"names and Social Security numbers"
Breach Description:
"DAYTON - Sinclair Community College on Monday, Nov. 10, told employees that the names and Social Security numbers of approximately 958 current and former employees were in a file folder that was visible to Web search engines."
Reference URL:
Dayton Business Journal
Dayton Daily News
Chillicothe Gazette
Report Credit:
Dayton Business Journal
Response:
From the online sources cited above:
More than 950 employees at Sinclair Community College had their social security numbers accidentally exposed online for more than a year, officials announced Monday.
The employee data had been made available online beginning February 2007 because of a human error from a Sinclair employee who accidentally made the information visible online.
The sensitive file, an Excel spreadsheet, was placed in a folder on a Sinclair computer by an employee who "did not realize that the contents of that folder were technically check marked as being visible to the outside world," (Sinclair President Steven) Johnson said.
[Evan] Did the employee "not realize" because the employee was poorly trained and/or not made aware? Employees who are responsible for working with sensitive information must be trained on the proper handling and must be made constantly aware of potential risks in using it. I am a big proponent of specialized information security training and awareness programs.
The data - for 958 Sinclair workers who were employed between July 2000 and November 2001 - was not published or displayed, but available through Web searches until it was removed last week.
[Evan] A slight play on words. The information was published and was displayed, just not as a web page (or a link from a web page).
Sinclair President Steven Johnson said the information was found last Tuesday by a Sinclair employee who had been searching her own name online.
Within 15 minutes, she reported the data and it was removed immediately, Johnson said.
By the end of the week, the college had contacted Yahoo! and Google to remove any traces or pictures of the data left behind.
"We have no reason to believe it's ever been accessed, other than the employee who serendipitously accessed it," Johnson said.
[Evan] Seren what? I am confused enough without the big words.
Sinclair has received no reports of identity theft.
[Evan] Who would know to report it to Sinclair?
The relative value of the data is low because the file contained names and Social Security numbers, but not addresses or dates of birth, Johnson said.
[Evan] What?! First the big words and now nonsense. I hope this was just a misquote.
Sinclair sent letters to all employees, including those affected and not affected, to explain the situation.
Those letters should begin arriving Monday, along with information on a two-year insurance and credit protection program Sinclair contracted for the affected employees through Equifax.
The college will pay roughly $80 per person for the coverage.
[Evan] Math time. $80 x ~950 = $76,000. Add the other costs involved with the response (investigation, notification, legal, reputation, etc.) and it's easy to see how costly a breach can be. Obviously spending $76,000+ on proactive measures is preferred. $76,000 would buy 337 hours of our services at an hourly rate (much less if project-based). We could do one heckuva lot with 337 hours!
"We wanted to show our employees how committed we are to their protection," Johnson said.
Of the 958 employees, about 600 are current employees of the college, about 300 have moved to different places of employment and some are deceased, Johnson said.
"I am confident that this was an accident - inadvertent, isolated human error that has been contained and controlled," Johnson said.
[Evan] Logic would tell me that "inadvertent, isolated human errors" are more common when the humans are not well trained or informed.
The employee who made the error has no previous disciplinary actions. It remains an open human resources matter, Johnson said.
The college has set up a hotline for more information about the exposed data at . It will be staffed by school human resources employees from 8 a.m. to 8 p.m. daily.
Commentary:
Seems like there have been a slew of post-secondary school breaches of late. I appreciate the fact that the school president addressed the media personally in regards to this breach, even if I disagree with some of what he supposedly said. The school is offering two years of "credit" protection, which is longer that the semi-standard one year. You may know how I feel about credit protection, if not drop me a line.
Past Breaches:
Unknown
Posted by Evan Francen at 11/11/2008 12:22 PM 
Categories: Sinclair Community College, Employee Mistake
Categories: Sinclair Community College, Employee Mistake
Posts Atom 1.0
Comments