[ISN] UVa laptop stolen, had sensitive data

From: InfoSec News (alerts@private)
Date: Tue Apr 15 2008 - 23:27:41 PDT


http://www.dailyprogress.com/cdp/news/local/article/uva_laptop_stolen_had_sensitive_data/17976/

By Brian McNeill
Dailyprogress.com
April 16, 2008

A laptop stolen from a University of Virginia employee contained 
sensitive information about more than 7,000 students, staff and faculty 
members.

Stolen from an unidentified employee from an undisclosed location in 
Albemarle County, the laptop contained a confidential file filled with 
names and Social Security numbers.

"As soon as we learned about the theft, we starting moving as quickly as 
we could," UVa spokeswoman Carol Wood said.

UVa mailed out letters Monday to each person affected by the data 
breach. The university will publicly announce the incident today. The 
Albemarle County Police Department is investigating the theft. At the 
police department's request, UVa is releasing few details about the 
incident.

Wood declined to say when the burglary occurred or which academic 
departments were affected. She did say, however, that the theft did not 
occur on UVa's campus.

Investigators apparently do not believe that the personal information 
was the target of the theft, according to the letter from James Hilton, 
UVa's vice president and chief information officer.

"Although circumstances suggest the thief was not targeting this 
information and there is no evidence he or she has seen or is using your 
personal information, I am bringing this incident to your attention so 
you can be aware of signs of misuse," Hilton wrote.

Brian Reed, a graduate student in UVa's Curry School of Education, said 
he received a letter notifying him that his personal information had 
been exposed. He immediately notified the credit-rating agencies listed 
in Hilton's letter and filed a 90-day fraud alert.

"You hear all the stuff on the news about identity theft," Reed said. "I 
had this moment of panic."

Reed said he was "frustrated" that a UVa employee would keep his 
personal information on a laptop. Too many similar incidents have 
occurred at other universities and government agencies, he said, for UVa 
to store sensitive data anywhere other than on secure servers.

"This has happened many times before," he said.

A laptop stolen in February from a National Institutes of Health 
researcher may have contained medical records of 3,000 patients. Similar 
incidents have been reported at the City University of New York and the 
University of California, Berkeley.

The most recent data breach at UVa was discovered last June. An 
investigation by UVa police and the FBI found that hackers had accessed 
records of 5,735 faculty members on 54 days between May 20, 2005, and 
April 19, 2007. In that case, the faculty members. names, Social 
Security numbers and dates of birth were exposed. No credit card, bank 
account or salary data was tapped.

Wood said that no one has reported an instance of identity theft in 
connection with either last year.s privacy breach or the new laptop 
theft.

The university has been phasing out its use of Social Security numbers 
as a personal identification number, Wood said, and is constantly 
reviewing and renewing its security procedures.


-==-
Let identityLoveSock take your personal information into 
their wanting hands. http://www.identity-love-sock.com/ 
Because victims have money too. 



This archive was generated by hypermail 2.1.3 : Tue Apr 15 2008 - 23:31:10 PDT