The UND Alumni Association is sending out word to approximately 85,000 people that they should be monitoring their credit.  Their information was stored on a laptop computer that was lost by a software vendor contracted by the alumni association.  It also sounds like affected members will be signed up for credit monitoring services, free of charge, of course.  This is despite the fact the computer in question was using laptop encryption to secure its contents.  I’ve often alluded that data encryption software like AlertBoot is the best method of protecting data, if not proclaiming it outright.

So why the credit monitoring, which can’t be cheap, considering we’re talking about 80,000 people?  Even with a discount so that it costs $10 per person, we’re talking close to one million dollars in expenses.

Well, there are a couple of reasons.  It could be that the encryption system that the UND Alumni Association is using is not strong enough.  Generally, encryption strength is measured by its key length.  The longer the key, the stronger the encryption.  In fact, the strength of the key tends to be exponential, so that a 256-bit key is not twice a strong as a 128-bit key, but much, much stronger.  Of course, that means that, in comparison, a 64-bit key is much, much weaker – not twice as weak.

Or, it could be that the encryption algorithm that is used hasn’t been vetted.  Hundreds of new encryption algorithms have been developed over the years that have been cracked due an underlying weakness in the algorithm itself.  Weak algorithms are a serious matter, since regardless of what the key length happens to be, the contents of the encrypted can be accessed in such cases via other methods.

However, the above don’t appear to be the motivation behind alerting alumni members.  According to Tim O’Keefe, the executive vice president of the association, the technology protecting the information was “absolutely the best you can buy.”  More money doesn’t necessarily mean more protection (or better protection, for that matter).  However, generally those who charge through the nose tend to stick to encryption algorithms that work on a theoretical level and have been impervious to attempts by the cryptographic community to crack it.  So, I think we can assume that they used something that used AES or RSA.

Perhaps the credit monitoring is a public relations ploy.  Alumni who have donated in the past tend to donate again.  And donations per person tend to be more than $20, a price that gets bandied about for an annual subscription to credit monitoring services.  So, the UND Alumni Association would come out ahead even with a one-time payment of hundreds of thousands of dollars, assuming the offer of a credit monitoring program allays any fears that are lingering despite the use of encryption software to protect the names, Social Security numbers, and credit card numbers of donors.

Personally, if I had been an alumnus, I would have preferred knowing what type of encryption was being used, and what the key length happened to be.  Once that has been established, I would feel secure enough to tell the alumni association to keep me off the credit monitoring.  I get enough junk mail as it is.

Related Articles:

http://www.kfyrtv.com/News_Stories.asp?news=23038

http://www.grandforksherald.com/articles/index.cfm?id=88793