[ISN] Thousands of U students have IDs at risk after computer theft

From: InfoSec News (alerts@private)
Date: Mon Sep 11 2006 - 01:27:58 PDT


Forwarded from: "eric wolbrom, CISSP" <eric (at) shtech.net> 

http://www.twincities.com/mld/pioneerpress/news/local/15475291.htm

By TAD VEZNER
Pioneer Press
Sept. 08, 2006

A pair of computers containing the personal information in some cases 
Social Security numbers of thousands of University of Minnesota students 
was stolen from a campus office. Now officials are scrambling to let 
past and present students know their identities may be in danger.

The computers, stolen in August from the desk of a program coordinator 
at the university's Institute of Technology, contained data on 13,084 
students who joined the school as freshmen between the fall of 1992 and 
2006.

Files included such information as names, birth dates, addresses, phone 
numbers, the high school they attended, student identification numbers, 
grades and test scores, and academic probation.

And, in hundreds of cases, Social Security numbers.

University spokesman Daniel Wolter said the university's main effort is 
focused on contacting 603 past students whose Social Security numbers 
were stolen.

But those students are the hardest to locate, Wolter added: Such numbers 
were taken in the earlier years of the program, when Social Security 
numbers were required, and the older students may have fallen out of 
contact.

University officials began sending letters to students on Aug. 30 to 
notify them of the theft but five of six IT students contacted Friday 
evening by the Pioneer Press said they had not seen the letter, and had 
no knowledge of the theft.

The computers were stolen overnight between Aug. 14 and Aug. 15 from the 
locked Lind Hall office of Ann Pineles, a program coordinator for the 
institute's lower division, or undergraduate, program. Pineles had the 
information stored on her hard drives.

'It's fair to say that's not standard operating procedure to have all 
that data on the hard drives,' Wolter said. 'But due to the size of the 
institution, its hugely decentralized structure (not everyone does 
that).

'It's one of those things where we need to do a better job educating 
people.'

Wolter said he did not know why Pineles had the data on a hard drive, 
rather than a central, secure computer server.

The university's written policy for computer security for drives with 
legally protected student information only requires that 'physical 
access to computers must be restricted,' Wolter said.

He said there were no plans to discipline Pineles.

Pineles, when contacted at home Friday, said only that 'it's just really 
been a bad day,' before hanging up.

Peter Hudleston, the associate dean at the institute who signed the 
letter, said the computers were relatively new and valuable, and 
officials believe thieves were targeting the computers, not the data.

University police had no suspects for the crime, Wolter said, adding 
that he was not sure whether there were signs of forced entry.

October is cyber security month at the university, Wolter added. All 
staff will go through a mandatory data security training.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Mon Sep 11 2006 - 01:43:51 PDT