[ISN] Stanford alerts employees that stolen laptop had personal data

From: InfoSec News (alerts@private)
Date: Mon Jun 09 2008 - 02:36:36 PDT


http://news-service.stanford.edu/news/2008/june11/laprelease-061108.html

Stanford Report
June 6, 2008

Stanford University determined yesterday that a university laptop, which 
was recently stolen, contained confidential personnel data. The 
university is not disclosing details about the theft as an investigation 
is under way.

The university is sending e-mails and letters to current and former 
employees whose personal information may be at risk, as well as posting 
information on the Stanford homepage at: http://www.stanford.edu, and 
notifying the media. Officials estimate that the problem could extend to 
as many as 72,000 people currently or previously employed by Stanford.

While the university has rigorous policies and guidelines designed to 
protect confidential information, events such as this demonstrate the 
need for heightened vigilance in this area. To that end, Vice President 
for Business Affairs and Chief Financial Officer Randy Livingston will 
lead a task force to review policies and practices regarding the safety 
and security of sensitive data.

Livingston said: "The university has guidelines that prohibit keeping 
sensitive information on unsecured computers. This effort will be 
redoubled after this incident."

The message sent from Livingston to past and current Stanford employees 
is below.

-=-

June 6, 2008

Dear Stanford Community Member:

I'm extremely disappointed to let you know that a Stanford laptop, which 
contained confidential personnel information, was recently stolen. This 
matter has been reported to law enforcement.

In working to identify the information that was on the machine, 
yesterday we discovered that it had personnel records of current and 
former Stanford employees hired before September 28, 2007. Although you 
personally may not be affected, we are sending this email to everyone in 
the Stanford community.

We believe that the perpetrator of the crime was not seeking the records 
on the computer or even aware of them. Often, such thefts are property 
crimes in which the laptop's hard drive is erased before the laptop is 
resold. While there is no evidence that any of the information on the 
stolen laptop has been accessed, the University is committed to taking 
steps to assist individuals whose personal data may be misused.

Stanford works very hard to secure the sensitive data entrusted to it by 
current and former faculty and staff. We are currently assessing 
appropriate steps to increase protection of this information. For 
additional information, see below. We sincerely apologize for this 
incident.

With deepest regrets,

Randy Livingston

Vice President for Business Affairs and Chief Financial Officer

-=-

Q & A

WHO IS AFFECTED?

While we are still trying to assess the categories of affected 
individuals, you may be affected if you received any paycheck from 
Stanford before September 28, 2007; this group includes faculty, staff 
and students who have been employed by the University in any capacity. 
(If you were hired by Stanford after September 28, 2007, your data was 
not affected.)

WHAT DATA WAS ON THE LAPTOP?

Personal information may include some or all of the following:

    * First and last name, gender, birthdate

    * Social Security Number

    * Business title and office location

    * Work and home phone numbers

    * Home address

    * Salary

    * Stanford email address

    * Stanford ID card number and Stanford employee number

There are no driver's license numbers, credit card numbers, bank account 
numbers or other financial information.

WHAT IS THE UNIVERSITY DOING?

Stanford is working with law enforcement to recover the laptop. Stanford 
has alerted HR and the Computer Help Desk about this incident, and will 
scrutinize any requests for changes to passwords or personnel profiles. 
Stanford is committed to working with our affected community members to 
prevent identity theft as a result of this crime.

WHAT DO I NEED TO KNOW TO PROTECT MYSELF?

Affected individuals should review the information provided by 
California's Office of Security Information and Privacy Protection, and 
specifically you will want to take a look at the checklist of actions 
and protections at: 
http://www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis3english.pdf.

Some of the specific recommendations from that checklist include 
requesting a free credit report from one of the three major credit 
bureaus - Equifax, Experian, TransUnion and 
http://www.AnnualCreditReport.com or by calling 1(877) 322-8228. By law 
you are entitled to one free credit report annually.

Additionally, Stanford is committed to providing enhanced safeguards 
against identity theft for affected individuals, but in the short time 
since we have become aware of this incident, we have not finalized 
arrangements for these safeguards. We will have services in place next 
week and Stanford is committed to assuming this cost. Further 
information will be accessible through Stanford's Home Page, 
http://www.stanford.edu, and kept updated as more information becomes 
available. Please remember that you can obtain a free credit report 
today, as described above.

WHAT OTHER IDENTITY THEFT RESOURCES ARE AVAILABLE?

Additional resources include:

    * Federal Trade Commission at http://www.ftc.gov/idtheft

    * Identity Theft Resource Center at http://www.idtheftcenter.org

    * The Privacy Rights Clearinghouse at http://www.privacyrights.org

HOW CAN I RECEIVE MORE INFORMATION?

You can call (650) 736-0099 and leave your contact information for a 
return call. You can also go to the Stanford home page for updates or 
email privacyquestions (at) stanford.edu with your full name and date of 
birth.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 09 2008 - 02:45:29 PDT