[ISN] VSC laptop theft creates security concerns

From: InfoSec News (isn@private)
Date: Mon Mar 27 2006 - 01:19:23 PST


http://www.timesargus.com/apps/pbcs.dll/article?AID=/20060324/NEWS/603240363/1002

By Darren M. Allen 
Vermont Press Bureau 
March 24, 2006 

MONTPELIER - Thousands of Vermont State Colleges students, faculty and
staff learned this week that a VSC laptop computer stolen from a car
parked in Montreal on Feb. 28 could have given thieves access to their
personal financial information, including Social Security numbers and
payroll data.

And while system administrators assured the thousands of potential
identity-theft victims that they had all but eliminated access to the
colleges' computer network from the laptop, some faculty and staff are
furious that VSC took three weeks to warn them.

"I can share with you that many, many people have come to me to
express their anger," said Ernest Broadwater, an education professor
at Lyndon State College and the president of the Vermont State
Colleges Faculty Federation.

The union has contacted an attorney to "learn what measures the VSC
has taken to protect the information of our students, staff and
faculty."

College administrators on Thursday insisted that the threat of stolen
identities was minimal, but nonetheless urged the system's 14,000
current students, teachers and staff to be vigilant about their bank
and credit card accounts. They said they fear the stolen laptop may
have contained information on people associated with the five-college
system from as long ago as 2000.

"Upon being notified, information technology staff took immediate
steps to block network access from the laptop," said a system-wide
e-mail that was distributed this week. "We have no evidence that any
personal information has been accessed or used for illegal or
malicious activities. However, the potential risks associated with
identity theft are very serious matters."

Karrin Wilks, VSC vice president for academic and strategic planning,
said she has received "many" calls and e-mails since the warning went
out Tuesday.

"Although we notified everyone just this week, we took precautions
immediately," she said. "We didn't know exactly what was on the
machine. We had to spend time assessing the threat, and assessing our
legal/moral respon-sibilities."

To Broadwater, those responsibilities would include more timely
notification.

"I'd be interested in hearing why it wasn't sooner," he said. "It
seems that they were worried about their system but not the
individuals who had their identity information compromised."

The laptop was stolen from an unidentified information technology
officer's car while it was parked on a Montreal street Feb. 28. The
woman — whose name was not released by the VSC — put her laptop under
her seat and locked the car, Wilks said. However, she left a pair of
skis in the back. Thieves broke a window, and took the skis, the
laptop and other items of value, she said.

"Her vacation was ruined," Wilks said.

The woman immediately contacted the VSC and also filed a report with
the Montreal police.

The potential breach of thousands of people's private information was
the second one for the state colleges in less than a year. In October,
a former Vermont Technical College student discovered that his Social
Security number was posted on the Internet. As it turned out, the
college had mistakenly posted every student's Social Security number
on the Web.

"We have taken swift steps to secure the information and to remove the
data from the Vermont Tech server and from other sources," then-VTC
President Allan Rodgers said in an e-mail to students and to alumni.  
According to an Associated Press report, he ordered more training on
computer security.

Identity theft is a growing problem in the United States, and several
states have begun passing laws to deal with it. Last year, Vermont
consumers were given the ability to freeze their credit reports if
they suspect that they are victims of identity theft.

In California, lawmakers passed a credit report freeze and another
measure that compels companies or organizations that lose sensitive
information to immediately notify potential victims.

And Congress is grappling with national legislation that would also
compel quicker disclosure.

Wilks said she understood people's frustration. "People do need to be
more vigilant," she said. "People need to monitor their own debit and
credit accounts for unusual activity."



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Mar 27 2006 - 01:37:14 PST