1,400 students, alumni, employees, and prospective students are affected by the theft of three laptops computers from Columbia University offices, according to The Bwog. It looks like disk encryption was not used to secure the contents of the stolen laptops, a move that would have ensured the safety of the data.
Although details have yet to be released, Columbia has confirmed that SSNs were included in the stolen laptops. It was also confirmed that password-protection was used (a safety precaution that is unworthy of its name, once you get to know the details on how it can be bypassed. It's as easy as googling it). The university will be offering two years of credit monitoring.
Although details have yet to be released, Columbia has confirmed that SSNs were included in the stolen laptops. It was also confirmed that password-protection was used (a safety precaution that is unworthy of its name, once you get to know the details on how it can be bypassed. It's as easy as googling it).
The university will be offering two years of credit monitoring.
This is not the first time that Columbia had an information security issue. In 2008, the university discovered a breach of a different kind, when SSNs for 5,000 students were inadvertently posted on-line. The current dean of Columbia has announced that the university will be doing: "more encryption of sensitive information, establishing new security safeguards in administrative offices, and intensifying its scanning of computer equipment for security threats." It's kind of disappointing to hear the above, since this is the second major data breach in as many years. I would argue that the use of encryption software on any computers used for administrative purposes should have been implemented soon after the 2008 breach. Well, at least it should have been for devices that were used for processing sensitive data, such as SSNs. Did the university not carry a data risk assessment after the 2008 incident? (The current dean can hardly be blamed if not: she took over the position just last year.) According to surveys, the loss and theft of laptops, desktops, external hard drives, and other data storage devices account for over 30% of data breaches.
This is not the first time that Columbia had an information security issue. In 2008, the university discovered a breach of a different kind, when SSNs for 5,000 students were inadvertently posted on-line.
The current dean of Columbia has announced that the university will be doing:
"more encryption of sensitive information, establishing new security safeguards in administrative offices, and intensifying its scanning of computer equipment for security threats."
It's kind of disappointing to hear the above, since this is the second major data breach in as many years. I would argue that the use of encryption software on any computers used for administrative purposes should have been implemented soon after the 2008 breach.
Well, at least it should have been for devices that were used for processing sensitive data, such as SSNs. Did the university not carry a data risk assessment after the 2008 incident? (The current dean can hardly be blamed if not: she took over the position just last year.)
According to surveys, the loss and theft of laptops, desktops, external hard drives, and other data storage devices account for over 30% of data breaches.
There are organizations out there that are loath to implement full disk encryption like AlertBoot on their company computers. One of the reasons, among many, is that it interrupts the workflow. In the above case, though, it would be untrue. Using encryption is about as difficult as using password-protection: from a user's point of view, all one has to do is type in a password. On the back end, though, encryption ensures that data is truly protected, while password-protection just gives the impression of data protection.
There are organizations out there that are loath to implement full disk encryption like AlertBoot on their company computers. One of the reasons, among many, is that it interrupts the workflow.
In the above case, though, it would be untrue. Using encryption is about as difficult as using password-protection: from a user's point of view, all one has to do is type in a password. On the back end, though, encryption ensures that data is truly protected, while password-protection just gives the impression of data protection.
Related Articles and Sites:http://bwog.net/2010/01/29/breaking-police-investigating-laptop-theft-security-breach-of-1400-columbia-affiliateshttp://www.nypost.com/p/news/local/manhattan/id_info_stolen_at_columbia_zZfD7lvBLtvT51LzPz4VuNhttp://www.upi.com/Top_News/US/2010/02/01/Stolen-laptops-had-Social-Security-info/UPI-20421265049767/