According to databreaches.net, Plymouth State University has alerted the Attorney General of New Hampshire to alert them of a data breach that was discovered on May 18, 2011. An external hard disk drive, used as a backup storage device, was missing. It does not appear to have been protected with the use of disk encryption software like AlertBoot.
Under the circumstances, it’s understandable. Yet, it shows us how flaws in data security show up in those instances where commonsense dictates nothing should happen.
According to the letter to the AG, the missing hard drive was “used to back up and restore data during a computer replacement.” So, it’s not really a permanent backup device as it is a temporary one. In fact, the letter adds that “the data would have been removed from the hard drive as soon as the installer was confident that the new computer was functioning properly.”
Really? They would have? The letter doesn’t reveal when the information was copied over to the computer, which would allows us to see how long that data was stored on that temporary backup device. Was it one hour? One day? One week? One month? Regardless, for such devices under those circumstances, the use of encryption software is questionable.
In fact, policy-wise, I can see why administrators would opt not to use encryption. The thinking goes like this: what are the chances I’ll have a data breach? After all, the data gets deleted right after it’s copied to another computer.
On the other hand, I can think of at least three reasons why you should use encryption despite the low probability of something happening:
Data doesn’t get deleted correctly. I don’t expect IT personnel to engage in such practices, but I can see instances where data gets “emptied from the recycling bin” but not actually written over. The only way to delete to data is to write other data over the original, not unlike getting rid of graffiti by laying a fresh coat of paint over it.
Data doesn’t get deleted. Sometimes people forget about the policy of deleting data. Sometimes people get lazy. Sometimes there is another data copying job that you have start right after the one you’ve just finished, and think it’s an excellent want of getting rid of the old data. In that short interval, a data breach takes place.
Things get stolen when you least expect it. This is a continuance of my last sentence above. The thing is that there is no rhyme or reason or correct timing to things getting stolen. Granted, if you have adequate physical security, you can severely reduce such incidences; however, it will never reach a zero-incident level.
Using the powers of post-incidental omniscience, we know that PSU would have been better off if it had decided to use some type of cryptographic solution. The question at this point is, will they change their policies to do so? Or will they gamble again, knowing that the odds are in their favor?
In this particular breach, the sensitive information of 1,059 students in the teach education program was compromised. Only those who were in the program between 2005 and 2010 are affected. PSU gives an explanation that SSNs “were necessary in order to forward teacher candidates to the state licensing board for approval,” implying that something changed beginning in 2011 (and which I think everyone involved in making the changes should be applauded).
The compromised information involves names and SSNs only, it seems. The university is offering one year of free credit monitoring.