http://www.bozemandailychronicle.com/articles/2007/11/07/news/15security.txt By Gail Schontzler Chronicle Staff Writer November 07, 2007 Montana State University is sending letters to 271 students and MSU employees to warn them that their Social Security numbers might have been exposed because of three separate security breaches. One breach dates to 2002. Another involves an MSU employee's stolen laptop computer. MSU announced the latest breaches in a news release Tuesday, four weeks after another security breach that affected 1,400 people. There's no evidence that anyone's personal information has been stolen by identity thieves, but MSU can't prove that didn't happen, said Jim Rimpau, the university's chief information officer. University officials wanted to act conservatively and alert people so they could check on their credit reports to make sure no one had stolen their personal information. What a horrible couple of weeks it's been, Rimpau said. The odds are nobody has seen these things, the personal data that could be used for nefarious purposes, he said. Chances are good that the stolen computer was taken by some kids who wanted to pawn it or play computer games, he said. The key to preventing future breaches is better training, better awareness among university employees, he said. Two breaches occurred when employees tried to save information on their computers to secure MSU sites and accidentally sent the data to unsecured sites. If you're in a hurry, it can happen, Rimpau said. The solution is getting people to be more careful. One breach occurred when people in charge of a department's computer server failed to apply a security update or patch, Rimpau said. We take these incidents very seriously, MSU spokeswoman Cathy Conover said in the news release. We try to learn as much as we can from each incident ... to prevent these events from happening again. All four cases were the result of carelessness, Rimpau said. * On Nov. 2, MSU learned that an employee's laptop computer had been stolen somewhere off-campus. It contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to 2007. The data was not encrypted. University police and the Gallatin County Sheriff's Office were informed of the theft. MSU said its residential life office will remove all sensitive personal information from portable devices to prevent this from happening again. * Also Nov. 2, an independent security watchdog group informed MSU that an Excel spreadsheet with the names and Social Security numbers of 42 people, most of them hired in the summer of 2006, was publicly accessible on MSU's Web site. The spreadsheet was removed immediately. The spreadsheet had been saved in error by a personnel and payroll employee in 2006 and mistakenly posted on the Web in July 2007. * While investigating that breach, MSU data-security staff found another Excel spreadsheet accidentally posted on the MSU Web site since 2002. It contained the Social Security numbers of 13 people who got travel vouchers from the computer science department in the College of Engineering. It also was removed immediately. The College of Engineering plans to implement new procedures and increase employees' awareness to minimize exposure of personal information. * On Oct. 12, MSU reported that a hacker had gotten access to a computer server that contained credit card and Social Security numbers of 1,400 people who enrolled online to take MSU Extended University courses in the past two years. The data weren't encrypted. MSU spelled out in the letters to students and employees the steps people can take to protect themselves from identity theft. The information is also posted online at www.montana.edu/securityalert. Rimpau said MSU generally uses randomly generated IDs for student and employee records, but must use Social Security numbers for student financial-aid and employee-payroll records. Although we feel horrible about this, it could be worse, Rimpau said, citing other universities where thousands of students' personal data were accidentally placed online. __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Wed Nov 07 2007 - 23:26:39 PST