CollegeInvest Loses Computer Hard Drive Lacking Full Disk Encryption.

CollegeInvest, a not-for-profit division of the Colorado Department of higher education, is alerting customers—approximately 200,000 of them—that their personal information may have been compromised.  Details are still sparse; for example, I am unable to find what type of personal information could have been exposed in this particular case.  Makes me wonder if the state of Colorado is exercising a little precaution so that nobody goes around looking for 200,000 entries of sensitive information on a random hard drive they picked up.


According to CollegeInvest, however, there is no need to panic because the data was secured with passwords as well as saved in a format that is difficult to access.


The frustrating thing about all this secrecy is that one can’t have an idea on how vulnerable he might be to identity theft.  For example, consider the password that is securing the data, supposedly.  Based on what I’m reading, it sounds like the device that was stolen was an external hard drive.  My own experience with most external hard drives show that a password is not required to access it; indeed, passwords are generally tied to a computer (more specifically, the computer’s operating system).


So, it looks like CollegeInvest went to great lengths to either secure the hard drive (and if so, why not go all the way and use a hard disk encryption solution like AlertBoot?) or to secure the file in question. Either that or CollegeInvest has absolutely no idea in what context they were entering a password.  Well, it may not be that bad, but I get the feeling that data security may not be their forte. Let me explain.


I’ve heard of instances where an organization assures their clients that identity theft is a minor concern because something is in an unusual format.  However, the format one is referring to is physical.  For example, say a back up tape was lost.  Back up tapes require a tape drive, as well as a computer, to access the data.  Tape drives are readily available, it’s true; however, they’re usually relegated to business venues.  So, if a tape with sensitive information is lost, the format may offer some (but very little) protection.  Likewise if the lost data were stored in a 5.25” floppy disk.


The protection provided here sprouts from the relative rarity of the data reading devices.  Obviously, if the thief has such a device, there is no protection.  In CollegeInvest’s case, what was lost appears to be an external hard drive.  All one has to do is literally plug it into a computer to access the contents.  There is no hard drive “drive” one has to obtain prior to reading the data.  So, there goes the argument for the format providing some type of protection.


But the file! you say.  The file could be tied to some kind of proprietary software.  If I don’t have Microsoft Excel, I can’t open Excel files, right?  I can’t get to the data.


You’d be wrong.  Remember, the computer doesn’t care how you store the data; it stores everything in ones and zeroes.  Get yourself the right software (and they’re plenty cheap), and you could be scouring a hard drive for SSNs and other personal information regardless of what type of file their stored in.  Google Desktop, for example, requires the use of a web browser, but I can use it to find certain data in Microsoft Excel. The format does not matter (Some people will cringe at the example, but I think it makes the point for the average Joe).


The only way CollegeInvest could rest easily at night, knowing the contents of their now?lost hard drive are secure from prying eyes, is if they had employed some form of encryption.

Comments (0)

Let us know what you think