The Beijing Center for Chinese Studies has revealed the loss of a laptop computer to the NH Attorney General. From the content of the letter, it looks like disk encryption software such as AlertBoot was not used to protect the contents of the laptop.
According to the letter to the AG, the laptop was stolen from a locked facility on October 15, 2009. There's no explanation on whether it was a break-in or what. The only additional detail is that the laptop contained sensitive, personal information--such as SSNs--stemming all the way back to 1994. The SSNs, and names, were included as part of applications to "study abroad with The Beijing Center." You know what the odd part is? On-line sources like Wikipedia state that TBC was established in 1998. TBC's own site notes that TBC has been educating the world about China since 1998. Where's the information between 1994 and 1998 coming from, then?
According to the letter to the AG, the laptop was stolen from a locked facility on October 15, 2009. There's no explanation on whether it was a break-in or what. The only additional detail is that the laptop contained sensitive, personal information--such as SSNs--stemming all the way back to 1994. The SSNs, and names, were included as part of applications to "study abroad with The Beijing Center."
You know what the odd part is? On-line sources like Wikipedia state that TBC was established in 1998. TBC's own site notes that TBC has been educating the world about China since 1998. Where's the information between 1994 and 1998 coming from, then?
The Beijing Center is offering free credit monitoring for 12-months. More importantly, however, they've already put processes in place to prevent any similar breaches in the future. First, they've already destroyed personal information where it's not longer needed, which is always a good policy. Many data breaches that surface can be attributed to "keeping around data...just in case." Just in case of what? Just in case they suffer a break-in and want to escalate the issue? It makes sense to keep names around, if anything for future outreach programs. However, SSNs? Once the application process is over, it should only be kept for as long as it's necessary. Second, it looks like they may be in the process of using encryption to protect information. It claims to have "implemented procedures so that unencrypted Social Security numbers and other sensitive information will not be stored on mobile devices."
The Beijing Center is offering free credit monitoring for 12-months. More importantly, however, they've already put processes in place to prevent any similar breaches in the future.
First, they've already destroyed personal information where it's not longer needed, which is always a good policy. Many data breaches that surface can be attributed to "keeping around data...just in case." Just in case of what? Just in case they suffer a break-in and want to escalate the issue?
It makes sense to keep names around, if anything for future outreach programs. However, SSNs? Once the application process is over, it should only be kept for as long as it's necessary.
Second, it looks like they may be in the process of using encryption to protect information. It claims to have "implemented procedures so that unencrypted Social Security numbers and other sensitive information will not be stored on mobile devices."
Related Articles and Sites:http://www.thebeijingcenter.org/securityqnshttp://doj.nh.gov/consumer/pdf/beijing.pdfhttp://www.databreaches.net/?p=8882