Hard Drive Encryption Missing: Cornell Has Breach, 45000 Affected.

Forty-five thousand current and former students and staff members (and some dependents) are the victims of a data breach at Cornell University due to the theft of a computer.  The university has set up a site (a FAQ, actually; see address at the end of this post) with details.  It can be inferred from the site that data encryption software like AlertBoot was not used to protect the contents.


Unfortunate, really, because this means that potentially 45,000 SSNs and names are at a high risk of being divulged.  At $1 each, it means a cool $45,000 in the black market.  If I were criminally-inclined, I’d probably try to gain access to the computer–encryption or not.


The Breach – Outside the University’s Control?



Before I begin with my negative criticism, as I’m wont to do, I’d like to point out that there was only so much Cornell could have done to prevent this data breach.  According to point number five on the FAQ, a staff member who, apparently, works in the IT department was using the information for troubleshooting purposes.  And he did it on an unprotected computer.


Also, Cornell has “information security policies and guidelines do not allow unencrypted confidential personal data to be stored on any computer device that is not in a physically secured location.”


And, if someone were enforcing and tracking compliance of such measures, who would it be?  Probably the IT department.  So…who’s gonna police the police?


The only way to prevent the breach would have been to force encryption on all computers used by staff at the university.  And, this would have been (relatively) easy to do with a centrally managed encryption suite.  But then, the IT department would also have been in charge of that.


So, there’s very little the university could have done.


I’ve Got A Beef



That said, there’re a couple of things I’m not crazy about in the FAQ, namely points 2 and 4.



2. If I didn’t receive an e-mail or letter, does this mean that my information was not on the stolen computer?


Yes. We have conducted a very thorough analysis of a backup of the data on the computer. If you did not receive an e-mail notification or a notification letter, we did not find your personal information in the backup data from this computer.


Maybe it’s just me, but where’s the guarantee that Cornell will have current and valid addresses for all 45,000 people?  My understanding is that the figure includes former students and staff as well.  You’ve got to admit that there’s a chance someone out there is not going to receive an e-mail or a letter, yet be a victim of this latest breach, unless the irresponsible IT staff member took care of only using names that have been verified to have a valid address, which is quite unlikely.


Although I’ll grant that the project the guy (or gal) was working on involved donors who had given money recently, say, three months ago.


4. Has the data been misused?

To date, we have no knowledge that the personal identity information contained on the computer has been misused or exploited. We will update this website promptly if we learn otherwise.


I’ve read such statements before, and I’ve never, ever liked them–and this is why:  I don’t know about you, but this is the first time I’ve heard about this story.  And apparently, this is news to the rest of the world: otherwise, it wouldn’t have been classified as “breaking news.”  In fact, I believe Cornell’s own WVBR may have been the first to report about this breach–and I’m pretty sure that the FAQ-site went up after WVBR’s initial report.


So, what are the chances that the data may have been misused but not be on people’s radar?  Pretty high, I’d say.  Even if an affected Cornellian found that, say, a mortgage had been granted by someone using his SSN, how would he know that it was related to this latest incident as opposed to some other data breach?  He wouldn’t know because this is the first time he’s hearing about the Cornell breach.


In turn, it means that Cornell doesn’t know about this either (the person hasn’t had a chance to call in to complain), so of course the university has no knowledge of misuse…


Related Articles and Sites:
http://faq-june2009.cuinfo.cornell.edu/
http://breach.scmagazineblogs.com/2009/06/23/sensitive-computer-stolen-from-cornell-university/
http://wvbr.com/news/660
http://cornellsun.com/node/37474
http://wvbr.com/news/663



Comments (0)


Let us know what you think