At least 15,000 California State University, Fresno “student athletes, sports-camp attendees, and Athletic Corporation employees” were affected by a data breach earlier in the year, according to kmph.com and other news sites. A hard drive, 18 laptops, and other items were reported missing on January 12 from the university’s North Gym building. On the face of it, it seems that the device was not targeted in the theft which, based on the university’s 2017 – 2018 academic calendar, appears to have been planned to coincide with Fresno’s winter break period.
Data From 2003 Onwards
In Fresno State’s public data breach notification, the university notes that only 300 of the affected are “currently affiliated with the University,” implying that most of the breached data involves former students, laypeople, and employees.
The breached information includes:
some personal information, including names, addresses, phone numbers, dates of birth, full or last four digits of Social Security numbers, credit card numbers, driver’s license numbers, passport numbers, user names and passwords, health-insurance numbers and personal health information.
Considering the type of information that was being held – and how far back it went: 15 years – it’s hard to understand why this external drive, which was used as a backup device, was not protected with encryption. Why wasn’t it?
Possibly, the (roundabout) answer lies in the 18 laptops that are not mentioned in Fresno’s notification. Why are the laptops not mentioned if they were also stolen at the same time as the external drive? One possibility is that none of them held any personal, sensitive data.
The more probable explanation is that these laptops were encrypted, obviating their inclusion in the breach notification. Maintaining this train of thought, it’s probable that Fresno is dealing with an employee’s wayward data security practices. Of course, it could also be that the university’s IT department fumbled: if you’ve got hundreds of devices to secure, an odd hard drive or two could very well slip through the cracks and remain unprotected.
Fresno, like many entities that report on data breaches, noted that they had:
not received any reports that any of the stolen information has been accessed or misused in any way, and there is no reason to believe that the hard drive was stolen for the information it contained.
Lawyers should stop their clients from adding the above language in breach notifications. It’s embarrassing. The problem with it (aside from the fact that it’s about as believable as we’re sending this notification out of an abundance of caution: everyone knows you’re sending it because it would be literally illegal not to) is that it is meaningless.
In this day and age, people know that the data contained in devices can be more valuable than the hardware itself, and you can bet that people who steal computers are even more likely to be aware of this fact. So, not getting any signals that the stolen information was accessed… means squat.
In addition, there’s this implication that the information was not or will not be accessed because the hard drive wasn’t stolen for the information. How faulty is that logic? Let us assume that some guy boosts a car because he’s going to sell it to a chop shop. Are you telling me that he’s not going to maybe take a peek in the glove compartment box or the trunk because he stole the car for its hardware, and not its content? Possibly lift up the armrest to access the center console? Steal the quarters in the ashtray?
Having your personal details stolen is terrible. Receiving a breach notification letter is terrible. Ham-fisted attempts at PR are vexing and insulting. It wouldn’t be surprising to find that such language backfires on its intent and, not only does it not comfort people, but encourages them to file lawsuits.
Related Articles and Sites: