CollegeNet, a company that brands itself “the world’s leading ‘virtual plumber’ for higher education internet transactions” and proclaims that “it pays to think” has filed a letter with the Maryland Attorney General’s Office to alert them of a data breach.
While not mentioned in the letter to the AG, a copy of the letter to be sent to affected MD residents explicitly mentions that the data was not encrypted. Of course, without the use of encryption software like hard disk encryption from AlertBoot, the names, addresses, phone numbers, email addresses, SSNs, driver’s license numbers, and dates of birth of could be potentially exposed to identity thieves.
While CollegeNet has not revealed how many people were affected overall, it is required to report how many Maryland residents were affected to the MD AG, twenty-three people in this case. And while we can expect the total number to be much bigger, it doesn’t seem to me that it will number in the tens of thousands like some of the more high-profile cases. That’s because the letter also makes it clear that the lost laptop contained information for people who applied with the NFLPA to be a contract advisor, i.e., a sports agent. This explains the cornucopia of information that was lost; according to what I’ve read, becoming a certified agent also requires a background check. Since it’s confined to people who are trying to become sports agents, I’d imagine upper limit on how many people will be affected is quite low.
CollegeNet has stated that the stolen computer did have password-protection, but this is not really protection. Password-protection, if it’s specifically tied to a computer’s operating system, can be bypassed quite easily without providing a password at all. All one needs is a screwdriver and nimble fingers. What CollegeNet should have done is encrypt the contents, either using file encryption to protect individual files or employing full disk encryption to protect the contents of the entire computer’s disk. Especially if they were going to store all of this information on a laptop computer that would end up unsupervised in a car.
When it comes to protecting portable digital devices like laptops, PDAs, cell phones, and others of its ilk, there are three rules to follow. One, tie it down to something. Two, if you can’t tie it down, keep your eyes on it. Three, make sure no one whacks your head from behind; otherwise, the second rule is broken. When it comes to protecting data on portable devices, though, there are two rules, as far as I’m concerned. One, encrypt that stuff. Two, do not stick to the device a sticky note with the username and password for accessing the protected data.
You’ll notice that there is no rule number three. That’s because, if unauthorized people are trying to access the contents of your encrypted data, the last thing they want to do is whack your head, assuming you followed rule number two. Forgetting your username and password would be a great way to keep the contents secret, permanently. (Well, for all intents and purposes. Three hundred years or more is a long time to wait to force open that content).