The P.K. Yonge Development Research School at the University of Florida has announced a data breach affecting students and employees. A laptop computer was stolen from a car, and it looks like hard drive encryption was not used to secure the data (although that won’t be true for long).
8,300 People Affected
According to the University of Florida, “P.K. Yonge is a kindergarten-through-grade-12 laboratory school affiliated with University of Florida’s College of Education.” The stolen laptop appears to have been used by an administrator, since the information includes not only student information but employee information as well, such as payroll and parking permit information.
The information goes all the way back to 2000, and also includes names, SSNs, and driver’s license numbers. Academic and medical records for students were not stored on the computer.
Password-protection was used to protect the data, but it appears that encryption software was not. Which begs the question, why not?
The theft took place in San Francisco when someone broken into a rental vehicle. In other words, the laptop traveled all the way from Florida to California. It also had to travel back, had it not been stolen. I think it’s pretty safe to say that the laptop–which, I remind you, contained restricted information–was outside a secure area for a good while. Plus, one of the more common places where laptops get lost or stolen is at the airport.
So, you’ve got a laptop that’s full of sensitive information. It’s not only on the move, which means there’s already a heightened risk of a data breach, it’s heading towards a high risk area when it comes to laptop thefts.
(Granted, the laptop was not stolen at the airport; however, you don’t come out of a battlefield unscarred and say, “well, putting on my bulletproof vest was useless.” Protection requires looking at the situation beforehand and evaluating your risk profile, not evaluating your specific outcome after the fact.)
It’s quite obvious that laptop encryption like AlertBoot ought to have been used on the laptop. In fact, I would have recommended it regardless of the travel plans, since it contained SSNs and other sensitive information, and was probably kept in a low-security area: in my experience, most college administrative offices tend to have poor physical protection due to the relative safety of campuses.
Update: Ah, I forgot. The university for its part has stated that it has started encryption on their laptops, I assume on account of this latest data breach.
Related Articles and Sites: