Technorati Tag: Security Breach
Date Reported:
5/30/08
Organization:
NHTI, Concord's Community College
Contractor/Consultant/Branch:
None
Victims:
Nursing program graduates form the classes of 2006 and 2007
Number Affected:
128
Types of Data:
"names, social security numbers, addresses, phone numbers, and email addresses"
Breach Description:
NHTI has notified the New Hampshire State Attorney General of a lost flash drive that may have contained sensitive personal information belonging to nursing program 2006 and 2007 graduates.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to notify you that NHTI, Concord's Community College recently learned of a data security incident involving personal information of individuals who have graduated from the College.
On April 23, 2008, it was discovered that a data storage device, or flash drive, was missing.
[Evan] Are unsecured flash drives allowed for use with NHTI information resources? There is no mention in the breach notification.
The flash drive may have contained the names, social security numbers, addresses, phone numbers, and email addresses of our nursing program graduates from the classes of 2006 and 2007.
Our Campus Safety Department conducted a thorough investigation to locate the flash drive.
The investigation concluded that we cannot determine whether a security breach has occurred.
[Evan] What is the school's definition of a security breach? Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? If not a breach, then poor information management at the least.
The potential security breach involved personal identification information of 128 former students.
While we do not believe the flash drive was taken for purposes of identity theft, we have recommended that the affected individuals take steps to protect themselves from the possible misuse of personal information.
[Evan] Really, at the end of the day I don't think it matters how many steps people take to protect themselves if the custodians of confidential information do not take proper care of the information entrusted to them. Everyone needs to play their role. Owner, custodians and users.
There is no indication that the disappearance of the device, a USB flash drive, was motivated by identity theft.
We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.
[Evan] "Low" is subjective and hard to measure. This reminds me of some informal research we conducted a while back. We were curious. We found a left-over box of unused flash drives that a marketing department had been giving away (s.w.a.g.) at a trade show. We wanted to find out #1, how many people pick-up a flash drive if they find one lying around, and #2, how many people plug them in and peruse the contents/use them. We had 40 flash drives. 29% of people picked them up (meaning it took 137 people walking by to nab 40 flash drives). We tried to vary the locations of the flash drives both out in the open and semi-private. Of the 40 people that picked up the flash drives, all 40 used them. I suppose that this particular flash drive could have ended up in the garbage or destroyed somehow, but if someone found it, I think chances are pretty good that someone will find the information. The difficult part is trying to determine what someone will do with the information once they have it, I suppose.
However, out of an abundance of caution, we are informing everyone who may be affected by this incident so that they may properly evaluate what actions -if any -they wish to take in this matter.
[Evan] The "abundance of caution" phrase is quickly becoming my pet peeve. An abundance of caution would have gone a long way towards preventing the breach. Storing confidential information on an insecure flash drive certainly does not demonstrate an abundance of caution.
We have obtained the services of a credit monitoring organization to provide free credit monitoring for one year to the affected individuals.
NHTI takes the protection of confidential information very seriously.
We sincerely regret that this incident occurred and are taking steps to prevent this type of breach from occurring again.
The College has instituted safeguards to prevent such incidents in the future.
[Evan] Like?
If you have any questions or concerns, please contact NHTI's Director of Communications, Alan Blake, at (603) 271-8904.
Commentary:
Most of my commentary is included above. Flash drives are very convenient, but sometimes the thought of them sends a slight shiver down my spine. If their use cannot be properly controlled, their use can be disastrous. So, if you can't control their use, then prohibit their use. I know of quite a few companies that have banned flash drives and disabled USB and FireWire ports.
I was a little tardy in finding this breach. I thought is was still good information for readers though.
Past Breaches:
Unknown
Date Reported: 5/30/08
Organization:
NHTI, Concord's Community College
Contractor/Consultant/Branch:
None
Victims:
Nursing program graduates form the classes of 2006 and 2007
Number Affected:
128
Types of Data:
"names, social security numbers, addresses, phone numbers, and email addresses"
Breach Description:
NHTI has notified the New Hampshire State Attorney General of a lost flash drive that may have contained sensitive personal information belonging to nursing program 2006 and 2007 graduates.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to notify you that NHTI, Concord's Community College recently learned of a data security incident involving personal information of individuals who have graduated from the College.
On April 23, 2008, it was discovered that a data storage device, or flash drive, was missing.
[Evan] Are unsecured flash drives allowed for use with NHTI information resources? There is no mention in the breach notification.
The flash drive may have contained the names, social security numbers, addresses, phone numbers, and email addresses of our nursing program graduates from the classes of 2006 and 2007.
Our Campus Safety Department conducted a thorough investigation to locate the flash drive.
The investigation concluded that we cannot determine whether a security breach has occurred.
[Evan] What is the school's definition of a security breach? Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? If not a breach, then poor information management at the least.
The potential security breach involved personal identification information of 128 former students.
While we do not believe the flash drive was taken for purposes of identity theft, we have recommended that the affected individuals take steps to protect themselves from the possible misuse of personal information.
[Evan] Really, at the end of the day I don't think it matters how many steps people take to protect themselves if the custodians of confidential information do not take proper care of the information entrusted to them. Everyone needs to play their role. Owner, custodians and users.
There is no indication that the disappearance of the device, a USB flash drive, was motivated by identity theft.
We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.
[Evan] "Low" is subjective and hard to measure. This reminds me of some informal research we conducted a while back. We were curious. We found a left-over box of unused flash drives that a marketing department had been giving away (s.w.a.g.) at a trade show. We wanted to find out #1, how many people pick-up a flash drive if they find one lying around, and #2, how many people plug them in and peruse the contents/use them. We had 40 flash drives. 29% of people picked them up (meaning it took 137 people walking by to nab 40 flash drives). We tried to vary the locations of the flash drives both out in the open and semi-private. Of the 40 people that picked up the flash drives, all 40 used them. I suppose that this particular flash drive could have ended up in the garbage or destroyed somehow, but if someone found it, I think chances are pretty good that someone will find the information. The difficult part is trying to determine what someone will do with the information once they have it, I suppose.
However, out of an abundance of caution, we are informing everyone who may be affected by this incident so that they may properly evaluate what actions -if any -they wish to take in this matter.
[Evan] The "abundance of caution" phrase is quickly becoming my pet peeve. An abundance of caution would have gone a long way towards preventing the breach. Storing confidential information on an insecure flash drive certainly does not demonstrate an abundance of caution.
We have obtained the services of a credit monitoring organization to provide free credit monitoring for one year to the affected individuals.
NHTI takes the protection of confidential information very seriously.
We sincerely regret that this incident occurred and are taking steps to prevent this type of breach from occurring again.
The College has instituted safeguards to prevent such incidents in the future.
[Evan] Like?
If you have any questions or concerns, please contact NHTI's Director of Communications, Alan Blake, at (603) 271-8904.
Commentary:
Most of my commentary is included above. Flash drives are very convenient, but sometimes the thought of them sends a slight shiver down my spine. If their use cannot be properly controlled, their use can be disastrous. So, if you can't control their use, then prohibit their use. I know of quite a few companies that have banned flash drives and disabled USB and FireWire ports.
I was a little tardy in finding this breach. I thought is was still good information for readers though.
Past Breaches:
Unknown
