[ISN] Loan firm's security breach concerns college district

From: InfoSec News (alerts@private)
Date: Mon Jul 24 2006 - 00:32:50 PDT


By Laura Houston
The Arizona Republic
July 22, 2006 

Maricopa Community Colleges is taking a second look at a contract with
a national loan company to provide student tuition services after the
company lost information on 188,000 customers.

The district's governing board is slated to approve a contract with
NelNet at its Tuesday meeting without discussion.

The agreement effectively would make available loan services to about
280,000 students enrolled in the district's 10 colleges and two skill
centers. Students would pay all fees for the service. There would be
no charge to the district.

College district officials heard about the security breach Thursday,
said Debra Thompson, district vice chancellor for business services.

They were wanting to see how much responsibility NelNet bore in the
loss of the data, which United Parcel Service shipped from Aurora,
Colo., near Denver. Most, if not all, of the customers whose
information has been lost are from Colorado, said Cheryl Watson, chief
communications officer for NelNet.

The data, stored on magnetic tape in a single box, were reported lost
Monday and had not been recovered by Friday afternoon, Watson said.  
Customers were notified as a courtesy, she said, because the company
was "not technically required to notify them."

"In all likelihood, the tape was probably destroyed in the UPS
facility," Watson said Friday. "We're just doing what is in the best
interest of the students."

A district committee approved the NelNet contract after a bidding
process that began no later than May, Thompson said.

The new system would be in place by October so that students could use
it during spring 2007 class registration, according to the district
governing board's agenda item.

NelNet is a national student tuition payment company with more than
$21.6 billion in net student loan assets reported in March.

Thompson said that in light of the recent incident, the district would
reassess its contract award to the company.

The contract would create a computerized system in which students sign
on with NelNet and are charged a $20 convenience fee per payment to
break up their tuition cost over as many as six payments instead of
making the payment in one lump sum, Thompson said.

The way NelNet was transporting the sensitive information was
"relatively historic and archaic," said Darrel Huish, associate vice
chancellor of information technology with Maricopa Community Colleges.

"I'm sure they would be reviewing their policies and procedures. We
want to make sure their response is appropriate for the incident," he

NelNet representatives have said this was a "routine shipment" and
stressed that the magnetic tape on which the data are stored is secure
because it requires sophisticated equipment to be read and used.

But that's not any reason to feel secure, said Todd Davis, CEO of
LifeLock, a Chandler-based identity-theft prevention company with a
growing clientele among colleges and universities nationwide.

"Identity theft is a $55 billion-a-year industry," Davis said Friday.  
"They (criminals) have all the technology they need to read magnetic
tape. They have all the resources they need."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon Jul 24 2006 - 00:40:36 PDT