Insidevandy.com is reporting that the theft of a professor's desktop computer has resulted in the data theft of information for 7,174 current and former students. There is no mention on whether data security products, such as drive encryption software like AlertBoot was used.
Of the 7,174 students, 174 are current grad students and 1,173 are current undergraduates. The stolen data included names and Social Security numbers, which were part of the professor's grade book information (not all students' SSNs were included, it looks like: the story notes that the SSNs were "for some students"). The theft occurred on February 6, but the letters alerting of the breach were sent out on March 10 and 11. Seeing how the university was able to accurately able to detail how many students were affected, I guess they took the time to do some forensic investigation, most probably on backup data. The computer was stolen from a locked office. The provost has asked "all academic deans...to purge information like this from their files and to not collect it in the future" in a memo.
Of the 7,174 students, 174 are current grad students and 1,173 are current undergraduates. The stolen data included names and Social Security numbers, which were part of the professor's grade book information (not all students' SSNs were included, it looks like: the story notes that the SSNs were "for some students").
The theft occurred on February 6, but the letters alerting of the breach were sent out on March 10 and 11. Seeing how the university was able to accurately able to detail how many students were affected, I guess they took the time to do some forensic investigation, most probably on backup data.
The computer was stolen from a locked office. The provost has asked "all academic deans...to purge information like this from their files and to not collect it in the future" in a memo.
I'd say there's a good chance that the information on the stolen computer was not protected--otherwise, it would have been mentioned. Going forward, though, would it be a good idea? It depends. If everyone purges sensitive information from their computers, the obvious answer is, "data protection is not necessary," mostly because there is no data to protect. The question is, though, how many people will: Actually read the letter? Take the time to delete sensitive data? Not miss a particular file or files that contain sensitive information? The provost's memo would have had more bite to it if he had also provided software that scans through a computer's contents and pinpoints any instances where sensitive information--such as credit cards or SSNs. I mean, this is what a number of malware programs do to steal data, and plenty of similar commercial (i.e., for legal purposes) software exists for finding such information in order to delete it. Also, not storing sensitive data is always better form of data security than, say, the use of encryption software. For example, full disk encryption can only protect data when computers get stolen; it's 0% effective against other threats, such as Trojans. But, again, it all revolves around whether the data does get deleted. In my experience, people lose track of what's saved where and which files contain what. While deleting and not storing sensitive data is the best form of data security one could have, when theory diverges from reality, a different approach must be tried. And theory tends to diverge from reality a lot.
I'd say there's a good chance that the information on the stolen computer was not protected--otherwise, it would have been mentioned. Going forward, though, would it be a good idea?
It depends. If everyone purges sensitive information from their computers, the obvious answer is, "data protection is not necessary," mostly because there is no data to protect. The question is, though, how many people will:
The provost's memo would have had more bite to it if he had also provided software that scans through a computer's contents and pinpoints any instances where sensitive information--such as credit cards or SSNs. I mean, this is what a number of malware programs do to steal data, and plenty of similar commercial (i.e., for legal purposes) software exists for finding such information in order to delete it.
Also, not storing sensitive data is always better form of data security than, say, the use of encryption software. For example, full disk encryption can only protect data when computers get stolen; it's 0% effective against other threats, such as Trojans. But, again, it all revolves around whether the data does get deleted.
In my experience, people lose track of what's saved where and which files contain what. While deleting and not storing sensitive data is the best form of data security one could have, when theory diverges from reality, a different approach must be tried.
And theory tends to diverge from reality a lot.
Related Articles and Sites:http://www.insidevandy.com/drupal/node/13438http://www.vanderbilt.edu/info/identity-protection/