[ISN] MSU reveals fourth personal-data security breach in one month

From: InfoSec News (alerts@private)
Date: Wed Nov 07 2007 - 23:12:55 PST


http://www.bozemandailychronicle.com/articles/2007/11/07/news/15security.txt

By Gail Schontzler
Chronicle Staff Writer
November 07, 2007

Montana State University is sending letters to 271 students and MSU 
employees to warn them that their Social Security numbers might have 
been exposed because of three separate security breaches.

One breach dates to 2002. Another involves an MSU employee's stolen 
laptop computer. MSU announced the latest breaches in a news release 
Tuesday, four weeks after another security breach that affected 1,400 
people.

There's no evidence that anyone's personal information has been stolen 
by identity thieves, but MSU can't prove that didn't happen, said Jim 
Rimpau, the university's chief information officer. University officials 
wanted to act conservatively and alert people so they could check on 
their credit reports to make sure no one had stolen their personal 
information.

What a horrible couple of weeks it's been, Rimpau said.

The odds are nobody has seen these things, the personal data that could 
be used for nefarious purposes, he said.

Chances are good that the stolen computer was taken by some kids who 
wanted to pawn it or play computer games, he said.

The key to preventing future breaches is better training, better 
awareness among university employees, he said.

Two breaches occurred when employees tried to save information on their 
computers to secure MSU sites and accidentally sent the data to 
unsecured sites.

If you're in a hurry, it can happen, Rimpau said. The solution is 
getting people to be more careful.

One breach occurred when people in charge of a department's computer 
server failed to apply a security update or patch, Rimpau said.

We take these incidents very seriously, MSU spokeswoman Cathy Conover 
said in the news release. We try to learn as much as we can from each 
incident ... to prevent these events from happening again.

All four cases were the result of carelessness, Rimpau said.

* On Nov. 2, MSU learned that an employee's laptop computer had been 
  stolen somewhere off-campus. It contained the Social Security numbers 
  of 216 students and employees who lived in on-campus housing from 1998 
  to 2007. The data was not encrypted. University police and the 
  Gallatin County Sheriff's Office were informed of the theft. MSU said 
  its residential life office will remove all sensitive personal 
  information from portable devices to prevent this from happening 
  again.

* Also Nov. 2, an independent security watchdog group informed MSU that 
  an Excel spreadsheet with the names and Social Security numbers of 42 
  people, most of them hired in the summer of 2006, was publicly 
  accessible on MSU's Web site. The spreadsheet was removed immediately. 
  The spreadsheet had been saved in error by a personnel and payroll 
  employee in 2006 and mistakenly posted on the Web in July 2007.

* While investigating that breach, MSU data-security staff found another 
  Excel spreadsheet accidentally posted on the MSU Web site since 2002. 
  It contained the Social Security numbers of 13 people who got travel 
  vouchers from the computer science department in the College of 
  Engineering. It also was removed immediately. The College of 
  Engineering plans to implement new procedures and increase employees' 
  awareness to minimize exposure of personal information.

* On Oct. 12, MSU reported that a hacker had gotten access to a computer 
  server that contained credit card and Social Security numbers of 1,400 
  people who enrolled online to take MSU Extended University courses in 
  the past two years. The data weren't encrypted.

MSU spelled out in the letters to students and employees the steps 
people can take to protect themselves from identity theft. The 
information is also posted online at www.montana.edu/securityalert.

Rimpau said MSU generally uses randomly generated IDs for student and 
employee records, but must use Social Security numbers for student 
financial-aid and employee-payroll records.

Although we feel horrible about this, it could be worse, Rimpau said, 
citing other universities where thousands of students' personal data 
were accidentally placed online.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Nov 07 2007 - 23:26:39 PST