What information was affected? An internal breach? The story smells fishy How encryption could have helped The Virginia Commonwealth University (VCU) is notifying nearly 40,000 students about a potential data breach due to the loss of a desktop computer. It's not known whether drive encryption was used to secure the contents on the device, although it's pretty apparent that it would have highly effective at preventing the information security breach.
The Virginia Commonwealth University (VCU) is notifying nearly 40,000 students about a potential data breach due to the loss of a desktop computer. It's not known whether drive encryption was used to secure the contents on the device, although it's pretty apparent that it would have highly effective at preventing the information security breach.
17,214 current and former students (you'll see why I'm using an emphasis there) from October 2005 onwards are being notified that their Social Security numbers were involved in the data breach. Plus, 22,500 students are being notified that their names and test scores were also on the stolen computer (which is not so terrible; I don't really see the need for notifications in the latter case). VCU stopped using SSNs as student ID numbers in January 2007, so it's not as if they were not being security conscious. On the other hand, the stolen computer was used in the process of scoring tests and recording grades. In other words, it was not a final repository for students' grades. So, why did they not take the time to delete such information? It sounds like VCU didn't think things through when it comes to data security and their students' (and alumni) well-being.
17,214 current and former students (you'll see why I'm using an emphasis there) from October 2005 onwards are being notified that their Social Security numbers were involved in the data breach. Plus, 22,500 students are being notified that their names and test scores were also on the stolen computer (which is not so terrible; I don't really see the need for notifications in the latter case).
VCU stopped using SSNs as student ID numbers in January 2007, so it's not as if they were not being security conscious. On the other hand, the stolen computer was used in the process of scoring tests and recording grades.
In other words, it was not a final repository for students' grades. So, why did they not take the time to delete such information? It sounds like VCU didn't think things through when it comes to data security and their students' (and alumni) well-being.
The desktop computer was stolen from a locked room within a locked area of the Cabell library at VCU, according to the timesdispatch.com. The computer was found missing less than a day after it was stolen. A twist on this story is that it is known who stole the computer; the person confessed to the theft. The person has supposedly taken the computer "for personal use and then [it was] disposed of." It was further noted that the computer was thrown away, like garbage, and not sold--and could not be recovered. Combine this twist with the fact that it was stolen from a secure area, and I think it's not a far stretch to assume this was an internal breach.
The desktop computer was stolen from a locked room within a locked area of the Cabell library at VCU, according to the timesdispatch.com. The computer was found missing less than a day after it was stolen.
A twist on this story is that it is known who stole the computer; the person confessed to the theft. The person has supposedly taken the computer "for personal use and then [it was] disposed of." It was further noted that the computer was thrown away, like garbage, and not sold--and could not be recovered.
Combine this twist with the fact that it was stolen from a secure area, and I think it's not a far stretch to assume this was an internal breach.
Someone steals a computer "for personal use" and then throws it away? Unfathomable. Plus, the VCU police think it was tossed "shortly afterward," no doubt based on the perpetrator's confession. A person takes the pain to steal something sizable (physically speaking) for personal use and it's shortly thrown out along with the garbage. What did he (or she) use it for? To provide ballast for a hot-air balloon? My personal guess is that there's more to this story than what the person behind the theft is admitting to. I mean, he' already admitted to stealing property. There's got to be repercussions for that; however, admit to stealing 17,000 SSNs and it's got to have even more serious ramifications than stealing some dinky desktop computer.
Someone steals a computer "for personal use" and then throws it away? Unfathomable. Plus, the VCU police think it was tossed "shortly afterward," no doubt based on the perpetrator's confession.
A person takes the pain to steal something sizable (physically speaking) for personal use and it's shortly thrown out along with the garbage. What did he (or she) use it for? To provide ballast for a hot-air balloon?
My personal guess is that there's more to this story than what the person behind the theft is admitting to. I mean, he' already admitted to stealing property. There's got to be repercussions for that; however, admit to stealing 17,000 SSNs and it's got to have even more serious ramifications than stealing some dinky desktop computer.
I'm going to go out on a limb here and assume that the person is being honest (despite stealing stuff), and assume that the computer was stolen because it was a computer, not because of the data in it, and that it was actually disposed of as claimed. The problem with such a scenario is that anyone could have (and maybe would have) picked up the computer. Who's to say that this new "owner" won't find and sell the data? Social Security numbers don't sell for as much as they used to (data for sale, too, must follow the laws of supply and demand--and there's a glut of stolen SSNs out there), but even at a $1 per SSN, it represents a cool $17,000. The only way to prevent such a scenario from occurring is by denying access to the computer--pick it from the curb, by all means, but do gain entry into its contents. So, how do you completely prevent a guy from accessing the contents of a computer? Especially if no one is around to stop him? By using encryption software like AlertBoot to secure the contents, of course. Installing hard disk drive encryption software on a computer will allow only authorized users (i.e., those with a username and password) to boot up the computer. For further security, a limit could be placed on how many tries before the system locks out everyone, regardless of whether a later try gives the correct password. This prevents someone from trying multiple guesses--and succeeding 10 years from now, for example. And, obviously, the use of encryption could have protected the contents from the original thief as well, assuming that person was not authorized to access the computer.
I'm going to go out on a limb here and assume that the person is being honest (despite stealing stuff), and assume that the computer was stolen because it was a computer, not because of the data in it, and that it was actually disposed of as claimed.
The problem with such a scenario is that anyone could have (and maybe would have) picked up the computer. Who's to say that this new "owner" won't find and sell the data? Social Security numbers don't sell for as much as they used to (data for sale, too, must follow the laws of supply and demand--and there's a glut of stolen SSNs out there), but even at a $1 per SSN, it represents a cool $17,000.
The only way to prevent such a scenario from occurring is by denying access to the computer--pick it from the curb, by all means, but do gain entry into its contents. So, how do you completely prevent a guy from accessing the contents of a computer? Especially if no one is around to stop him?
By using encryption software like AlertBoot to secure the contents, of course. Installing hard disk drive encryption software on a computer will allow only authorized users (i.e., those with a username and password) to boot up the computer.
For further security, a limit could be placed on how many tries before the system locks out everyone, regardless of whether a later try gives the correct password. This prevents someone from trying multiple guesses--and succeeding 10 years from now, for example.
And, obviously, the use of encryption could have protected the contents from the original thief as well, assuming that person was not authorized to access the computer.
Related Articles and Sites:http://www.timesdispatch.com/rtd/news/local/article/VCUUGATER05_20090605-115401/272056/http://www.washingtonpost.com/wp-dyn/content/article/2009/06/05/AR2009060501809.htmlhttp://www.dailypress.com/news/local/virginia/dp-va--vcu-stolencompute0605jun05,0,6824114.story