[ISN] NU Security Breached Again

From: InfoSec News (alerts@private)
Date: Mon May 21 2007 - 22:36:21 PDT


http://media.www.dailynorthwestern.com/media/storage/paper853/news/2007/05/21/Campus/Nu.Security.Breached.Again-2905908.shtml

By Erin Dostal
The Daily Northwestern
5/21/07

A laptop containing the Social Security numbers of Northwestern students 
and alumni was stolen in late April from an employee in the Financial 
Aid Office on the Chicago Campus.

"A letter has been sent to all of those students whose data may have 
been accessed," said Alan Cubbage, vice president for university 
relations. "There is no indication at this point that anyone's data has 
been accessed."

Letters warning potential victims of the security breach were sent out 
about 10 days ago, Cubbage said.

Because the laptop was stolen from a Chicago Campus employee, law and 
medical students are the most affected, Cubbage said.

This is not the first breach of sensitive NU data. In May 2006, hackers 
from outside the university accessed records containing the personal 
information of about 17,000 NU alumni, students and faculty.

Thomas Gersic, who earned a master's degree from NU's School of Music in 
2005, received the letter sent about two weeks ago. He said he wished NU 
would be more careful with sensitive personal information.

"I was very upset about it," Gersic said. "I think that they had the 
ample opportunity to learn from their mistakes and make some changes, 
and they didn't."

Cubbage said the 2006 incident raised different issues than the more 
recent breach.

"This is a very different set of circumstances," Cubbage said. "(This 
time) an employee had her laptop stolen, which is the first time that 
happened, at least with any kind of data like this on it."

Gersic said the letter sent out by NU officials suggested that potential 
victims seek help from fraud departments of credit bureaus or go to the 
Federal Trade Commission's Web site for more information. He said he had 
already filed a fraud report.

Gersic started a Web site, www.northwesternprivacy.com, to petition 
administrators to tighten their data security policies.

"I want two things," he said. "I think that they should provide credit 
monitoring to those who are affected and that policy should be changed 
so they're not storing Social Security numbers on unencrypted, unlocked 
computers.

"Social Security numbers should only be kept in a centralized server, 
encrypted and in a locked room."

Cubbage said that in cases like this, it is often the piece of equipment 
the thief wants, not the information on it.

A police report has been filed with the Chicago Police Department.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon May 21 2007 - 22:52:39 PDT