backtop

Print E-mail del.icio.us 26 comment(s) - last by BarkHumbug.. on Jun 11 at 10:35 AM
Stanford loses laptop containing personal information of 72,000 employees

Stanford University confirmed a laptop with the personal information of up to 72,000 current and former university employees was stolen, but did not release any initial information about the theft. The stolen laptop contained Social Security numbers, home addresses and salaries, but does not have credit card information, bank account numbers or driver's license numbers.

Information only includes employees who were hired before September 28, 2007, and university officials remain mum due to it being an ongoing investigation. It is unknown where the laptop was stolen from, but this may be revealed later once the investigation progresses further. 

It is not uncommon for thieves to steal laptops and immediately wipe the hard drive before selling the laptop.   

"We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them," said Randy Livingston, Stanford University VP for business affairs.

Research collected by the Identity Theft Resource Center indicates at least 70 colleges and universities lost sensitive information during 2007. In addition to universities, the U.S. Department of Veterans Affairs, Wells Fargo, and similar companies have also had major security breaches in the past.

Colleges and universities tend to be a bit more careless when it comes to keeping laptops with private information secured, according to Mike Spinney, who is a spokesperson for the Ponemom Institute.

The University of California, Berkeley, also had a similar breach in 2005, with officials finding the laptop for sale on eBay but none of the personal information had been compromised.

Stanford University is contacting all parties who may be affected by the case, and the university is offering free credit reporting services in each case.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
when are we going to get a clue!
By omnicronx on 6/9/2008 9:29:18 AM , Rating: 5
Can someone please tell me why a laptop had this kind of information saved on its hard drive? What possible reason could they have that this data had to be on the persons laptop and not safetly stored on the Stanfords network.

There is no reason that a person needs that kind of information on the road, and if they do, they should have to connect to a VPN in order to access this information. I think it should be made law that information like this MUST be stored centrally.




RE: when are we going to get a clue!
By MrBlastman on 6/9/2008 9:40:24 AM , Rating: 3
Sadly, this sort of crime and data insecurity is happening all across the country in all sorts of organizations, both private and public, corporate companies.

I agree with you, something needs to be done - either laws to make people accountable for their lack of regard of employee data (I think this is a last resort), or further education of IT staff, and the monkeys at the top (they only care if their bannana trees and coconuts are giving them food or not, not how it gets there) on the graveness of this problem and the repercussions.

However, I think there will continue to be a multitude of organizations that continue to take shortcuts, or lackluster personnell whom lack the think-it-through, motivation, or are just purely lazy and will continue to do this. I'd think like you said a true solution would be to access this data through a secure VPN or local network, and the data to never be stored on the local hard drive. It would all be centrally held say in an database and accessed through a client that only would allow peering into the data one screen at a time with zero buffer/storage ability - akin to a dumb terminal with all copy/paste ability disabled.


By Seemonkeyscanfly on 6/9/2008 12:30:48 PM , Rating: 2
I do believe there are enough laws out there to protect the people, at least in the medical and law fields. The problem is common sense - Most people do not realize just how easy it is to steal and use that information. So, enforce the current laws should be enough. I do completely agree with you that there needs to be more education on this subject, but to all not just techs and upper executives. Most mistakes are made by people trying to do the best job they can, but unfortunately they do not see or understand they damage they are doing or could be doing.


RE: when are we going to get a clue!
By StevoLincolnite on 6/9/2008 9:43:12 AM , Rating: 2
Operating Systems love to cache things, as part of redundancy. Heck they may not even stored a hard copy at all, but the Operating System had a copy in a cache somewhere, however in this case, it may not have been a student's machine, could have been a lecturer, or some one else higher up.


RE: when are we going to get a clue!
By omnicronx on 6/9/2008 9:53:11 AM , Rating: 2
quote:
Operating Systems love to cache things, as part of redundancy
Use a little common sense here, the OS does not cache the entire database in memory, it simply fetches the information that you query. It is also a hell of a lot harder to get at information in the cache, then pretty much anything on the hard drive.


RE: when are we going to get a clue!
By aharris on 6/9/2008 10:15:34 AM , Rating: 2
It could have been a spreadsheet for all we know.

*Shrug*


RE: when are we going to get a clue!
By omnicronx on 6/9/2008 10:25:52 AM , Rating: 2
Not unless it was spread across multiple sheets, the excel maximum sheet size is around 65,000 rows.


RE: when are we going to get a clue!
By amanojaku on 6/9/2008 10:44:19 AM , Rating: 2
65536, to be exact. So anything greater would be several columns, several files or multiple sheets in a file, likely grouped by calendar or fiscal year. I think aharris was just pointing out the fact that data on a laptop or PC would usually be in the form of a ubiquitous data format. An SQL database would be highly unlikely, even for Stanford, due to the difficulty in transferring data from point A to point B while maintaining consistency. Access is another "DB," but that's just too disgusting to think about.


RE: when are we going to get a clue!
By Lifted on 6/9/2008 11:30:49 AM , Rating: 2
1,048,576 rows by 18,278 columns with Excel 2007, to be exact.


RE: when are we going to get a clue!
By amanojaku on 6/9/2008 11:45:38 AM , Rating: 3
Actually, that's 16,384 columns in 2007. Binary multiples.

http://msdn.microsoft.com/en-us/library/aa730921.a...


RE: when are we going to get a clue!
By Lifted on 6/9/2008 12:13:51 PM , Rating: 2
This is copied from the Excel Help.

Microsoft Office Excel 2007 has more rows and columns than ever before with the following new limits: 18,278 (A to ZZZ) columns wide by 1,048,576 rows tall.

You do the math. A - ZZZ = 18,278.


By Lifted on 6/9/2008 12:17:05 PM , Rating: 3
Well look at that. I just tried to fill a sheet and it only went to column XFD. Excel Help lies! ;)


By aharris on 6/9/2008 12:05:50 PM , Rating: 2
Thanks for clarifying this


By omnicronx on 6/9/2008 6:19:14 PM , Rating: 2
quote:
An SQL database would be highly unlikely, even for Stanford, due to the difficulty in transferring data from point A to point B while maintaining consistency.
I understand that they data stored on this laptop was probably not an SQL database, but an a bunch of excel sheets or an access database. But I still have to beg the same question as before, why is a database of 72,000 entry's in which only 1 person can access it on a laptop? A university like Stanford should know better, and I just do not see why this sort of conduct is allowed, it should be common sense by now.


Yet again?
By lemonadesoda on 6/9/2008 8:03:19 AM , Rating: 3
I'm getting rather tired of this persistant lack of data security seen repeatedly at so many organisations.

I'm delighted it has happened to this prestigious University. Egg on face is what they deserve. I have nothing against the University as such, other than it is an example of the lack of action taken by so many institutions, and their officers, regarding private confidential information. It is a demonstration of their lack of care if not incompetance. And inability to put in place quite simple policy and policy control.

No confidential data to leave the building. And if people take their laptops hope, then no such data on laptops. Disciplinary measure: fired.

Isnt that simple? No guns IN the building. No data OUT. Period.




RE: Yet again?
By Aloonatic on 6/9/2008 8:57:05 AM , Rating: 2
There are standards (ISO/IEC 27001) in data security that can be met for accreditation.

This is something that we are having to look into here as more and more of our customers are requiring compliance.

I'm not saying that standards accreditation and conformance measurement sill stop all data loss, but it is something that more of these large public bodies should be trying to attain.

A lot of them just do not seem to be taking this problem seriously.


RE: Yet again?
By tspinning on 6/9/2008 9:45:54 AM , Rating: 2
While it shouldn't happen, or there should be measures in place to safeguard the data there, working in an academic environment is much different the a corporate one, even at such a prestigious institution such as the one mentioned here it isn't always possible to have the security measures IT knows should be in place actually there.

In these institutions IT is a means to the unfettered exchange of ideas, and not a group of people with teeth who can set policy. Very simply, they are the provider for the whims of interest on that campus. College IT is rarely able to act and maintain a quality IT environment in the same manner as a bank or other large enterprise when it comes to data retention, security, password, or encryption polices.

In academia you have faculty and staff, many of whom still get their emails printed out for them daily as the guiding hand for IT policy, and while student and employee data is confidential (and protected similar to your financial and medical records) you can bet the academics don't take lightly the fact they can no longer query their database off network, or can't create the needed reports due to not having access to the files (or a local copy). They don't see the depth of the issue as it relates to security, just as you the IT guy, probably don't know what it takes to get research grants funded. (And why the 1.25" margin is so important!)

I'm not trying to defend this, but judging a group of people based off corporate standards (is fine for comparison) but expecting academic IT to TELL tenured faculty, college presidents, provosts and distinguished fellows "this is how it is going to be" is quite different. Privileged staff, presidents, and lawyers are powerful respected parts of this community and attempting to force any hand in places that are so entrenched in academic debate and discussion pushes the issue further from the table and allows the person who is debating the issue to win on grounds not based in IT/PC logic (security) but in academic discourse due to more argumentative experience.

.02


RE: Yet again?
By Jackattak on 6/9/2008 3:09:27 PM , Rating: 2
The expectations of the corporate environment should very much so be demanded of the academic environment, be they demanded by the "academic" IT (whatever that is) or by the executive management themselves. Believe it or not, academic organizations are still merely businesses. The employees are just that. They are no different just because they have "tenure" or are some poppycock "fellow." They are nothing more than an em-ploy-ee and can and will be held to the exact same standards as every single other organization within the United States of America.


RE: Yet again?
By BarkHumbug on 6/11/2008 10:32:03 AM , Rating: 2
quote:
They are no different just because they have "tenure" or are some poppycock "fellow."


LMAO


RE: Yet again?
By androticus on 6/9/2008 8:36:42 PM , Rating: 2
I strongly disagree. Here at University of Colorado we have a strong IT department and campus-wide initiatives to strengthen IT security.

The free exchange of *ideas* is not hampered by having reasonable precautions in place for sensitive information. Besides, the people responsible for science are largely disjoint from those of administration.

There is just absolutely no justification for permitting sensitive administrative data to be stored on portable computers. If that user needs a portable computer, by definition that data should not be on it.


RE: Yet again?
By Reclaimer77 on 6/9/2008 11:21:01 AM , Rating: 2
I love how you want to punish the person with the laptop more than the one who actually BROKE the law and stole it.


RE: Yet again?
By root mean sq on 6/9/2008 12:05:24 PM , Rating: 2
how do you know he wants to punish the owner of the laptop more than the thief? he doesn't even mention the thief...

measures have already been put in place to deal with people who get caught stealing, so he doesn't have to comment on that. he's suggesting putting measures in place to help deter people from being careless with sensitive information. if one breaks those rules, he's also suggested a punishment.

yeah stealing is wrong and the guy who stole is is an idiot, but that doesn't mean we should pat a victim on his back for being careless...


RE: Yet again?
By The Irish Patient on 6/10/2008 12:07:07 PM , Rating: 2
Agreed. If the data wasn't encrypted, fire the person who took the laptop out of a controlled area.

In an even worse incident, an employee of the Connecticut Department of Revenue took a laptop on vacation last Summer containing the tax returns of 100,000 taxpayers, mine included. Surprise, it got stolen. No one has been fired or severely disciplined for this breach.

The idiot governor then goes on the radio to say don't worry, the laptop was password protected. I can't believe she is being mentioned as a possible running mate for John McCain.


RE: Yet again?
By Jackattak on 6/10/2008 1:58:37 PM , Rating: 2
"The idiot governor..."
"I can't believe she is being mentioned as a possible running mate for John McCain."

I think your disbelief should be quelled by your first statement. What's so hard to believe if the governor's an idiot? You'd practically have to be...


RE: Yet again?
By BarkHumbug on 6/11/2008 10:35:15 AM , Rating: 2
quote:
What's so hard to believe if the governor's an idiot? You'd practically have to be...


LMAO again! You're on fire!


Encryption...
By Donkey2008 on 6/9/2008 2:38:24 PM , Rating: 2
This reminds me of the "borrowed" laptop deal in China a few weeks ago. Are there no IT people in these organizations that know how to encrypt a laptop harddrive? The fact that they don't is more scary than the actual theft.




"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki