Stanford University data breach leaks sensitive information of approximately 62,000 employees

Stanford University data breach leaks sensitive information of approximately 62,000 employees

Summary: A data breach resulting from a stolen laptop has leaked sensitive information including Social Security Numbers of approximately 62,000 (as reported by Stanford University) former and current Standford University employees.  The Privacy Rights Clearinghouse, a site devoted to the collection of data breach information, reports this number as 72,000, and I'm not positive which is more accurate at this time.

SHARE:

A data breach resulting from a stolen laptop has leaked sensitive information including Social Security Numbers of approximately 62,000 (as reported by Stanford University) former and current Standford University employees.  The Privacy Rights Clearinghouse, a site devoted to the collection of data breach information, reports this number as 72,000, and I'm not positive which is more accurate at this time.  Stanford's site says that original estimates placed the number at 72,000, so I'm inclined to believe that the number is actually 62,000.

This is just the newest example of a university falling pray to data breaches... in fact, if you look through the aforementioned Privacy Rights Clearinghouse site, you'll see numerous universities listed, with some pretty amazing numbers of records stolen.

For the record, this isn't to point the finger at Stanford, the point of the article is simply to suggest that just like financial service organizations, health care providers, etc., schools (and I say schools since this could translate to high schools just as easily) have an amazing amount of data available and typically have less stringent security controls and governing compliance demands.

More on the data breach below.

I've posted the response from Stanford University's site below.  There's a couple of key areas I'd like to point out:

  • First off, Stanford answers what happened, and I'm blown away by the fact that a single laptop contained this much sensitive data... I'm wondering what this laptop could've possibly been used for
  • Stanford mentions what data was on the laptop and it is certainly very sensitive data
  • Stanford refuses to comment on whether the data was encrypted due to the ongoing legal case... I'm not really sure why that would matter unless the data was not encrypted
  • We should give Stanford some credit for jumping on this quick and actually getting as many facts as they could out to victims... data breaches are tough problems to handle

From Stanford University's website:

FAQ on Stolen Laptop Incident

LAST UPDATED: June 18, 2008.

Questions & Answers regarding a stolen laptop which contained restricted information about Stanford employees.

  1. What happened?A laptop was stolen that contained records of approximately 62,000 current and former employees.* On June 5 we learned that it contained restricted information. Immediately upon learning of this situation, Stanford mobilized to identify contact information for the affected individuals and sent e-mail notification to current employees, including faculty and staff. We are mailing notification letters to the rest of the affected individuals.

    * Original estimates placed the number of affected individuals as high as 72,000.

  2. Am I affected?Your personal identifying information is likely to be in the data file if you received a paycheck from Stanford prior to September 28, 2007. This group includes faculty, staff and students who have been employed by the University in any capacity. SLAC and Stanford hospital employees are not in the file unless they previously worked at or are otherwise affiliated with the University. SLAC retirees may be included in the data file since they receive retirement benefits through the University. We are sending notification letters to let you know if you were one of those affected. If you do not receive a letter by June 30, 2008, please call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative and confirm if you are an affected individual.
  3. If I didn’t receive an e-mail or letter, does this mean that my information was not on the stolen laptop?No. While we tried to reach everyone whose information was on the laptop, we may not have current contact information for you. You can call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative and confirm if you are an affected individual.
  4. What will Stanford do to help mitigate the cost and inconvenience to me?Stanford is committed to providing enhanced safeguards against identity theft for affected individuals. We have entered into a relationship with Kroll, a New York-based risk-consulting company, to provide one year of credit reporting, credit monitoring, and identity-theft restoration services at university expense. If you were an affected individual, you will be receiving a notification letter describing how to take advantage of these services. If you do not receive a letter by June 30, please call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative and confirm whether or not you are an affected individual.
  5. What data was on the laptop?

    • Name, gender, date of birth
    • Social Security number
    • Salary, business title, office location, office phone number, and e-mail address while employed by Stanford
    • Home address and phone number while employed by Stanford
    • Stanford ID card number and Stanford employee number

    There are no driver’s license numbers, credit card numbers, bank account numbers or other financial information in this file.

  6. Has the data been misused?We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them. Often, such thefts are property crimes in which the laptop's hard drive is erased before the laptop is resold. However, to date, while we still have no knowledge that the information has been misused, we wanted to be sure that individuals who may be affected are notified of the risk so they can take appropriate action.
  7. Was the information encrypted?Because this is part of an active criminal investigation, we are not disclosing publicly the details of the protection of the data on the laptop.
  8. Why was this information on a laptop? How can you be sure a similar incident won’t happen again?The University’s policies follow best practices for protection of confidential information. Under Stanford’s policies, restricted data may not be stored on a laptop or any other unprotected system or device. Clearly, this incident violated our information security policies and procedures, and it demonstrates that we must have heightened vigilance in this area. To that end, Randy Livingston, Vice President for Business Affairs and CFO, will be leading a task force to review all policies and practices regarding safety and security of sensitive data.
  9. Is there an investigation into this incident?Stanford has reported the stolen laptop to law enforcement and is working with them to identify the perpetrator(s). We cannot discuss further detail of an active investigation.
  10. What else is the University doing?Stanford is working with law enforcement to recover the laptop. Stanford has alerted Human Resources and the Computer Help Desk about this incident, and will scrutinize any requests for changes to passwords or personnel profiles. Stanford is committed to working with our affected community members to safeguard against identity fraud that may result from this crime. If we discover a pattern of fraud over the next few months, we will provide further notification to everyone affected.
  11. What do affected individuals need to know to safeguard themselves?You will find complete and helpful information about your rights and precautions that you should consider taking at:

    In addition, Stanford is making credit reporting, credit monitoring and fraud restoration services available to affected individuals through Kroll, a New York-based risk consulting company. If you were an affected individual, you will be receiving a notification letter by June 30, 2008 describing how to take advantage of these services.

  12. What have you done to inform affected individuals about the incident?We immediately began our effort to contact employees as soon as we learned that files on the stolen laptop contained sensitive employee information. We reached out to current employees by e-mail and are mailing notification to everyone else in the data file. We also notified the press. We want to be sure that the information reaches the broadest audience possible so that everyone affected will hear the news and have an opportunity to take appropriate action.
  13. Can I get more information?Currently, this is the most recent information that we have about this incident. We will be updating this FAQ if there is new information. In the meantime, if you wish to know if you are an affected individual, would like more information about Kroll’s services, or have other questions, please call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative.

Topics: Data Centers, Hardware, Laptops, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • No end to these breaches.

    As long as we're dealing with human beings, breaches of this sort will happen again, and again. The only solution is to enforce full disk encryption, and any employee not doing that would face a firing squad at Iraq :p
    kraterz
    • Haha

      That's maybe a bit extreme. We're just touching the tip of the iceberg with data breaches... there's so many we don't know about, of that I'm sure.
      nmcfeters
    • RE: No end to these breaches...

      Quote: [i]The only solution is to enforce full disk encryption, [b]and any employee not doing that would face a firing squad at Iraq[/b][/i]

      I agree with the first part of your statement.

      However, just being shot is not enough. I feel that they should be used for [b]LIVE bayonet training!!!![/b]

      We need to make a PAINFUL example of them.
      fatman65535
  • My, but you're a trusting soul...

    [i]Stanford???s site says that original estimates placed the number at 72,000, so I???m inclined to believe that the number is actually 62,000.[/i]

    I'm inclined to be the opposite. If they said it was closer to 62,000, I'd be inclined to think it was closer to 90,000. I really can't see them overestimating a screwup. Substantially underestimating? Yes. Overestimating. I'm doubtful.
    MGP2
    • I give the bennefit of the doubt

      Stanford originally claimed 72K. They revised it after getting further information. They gain nothing by the extra 10K at this time... they already were breached.
      nmcfeters
  • At least...

    ...Standford is acting responsibly. It's refreshing to see a company (or institution or whatever Stanford might be called) clean up their own mess.

    Accidents happen. Screwups occur. It's how you deal with the resulting mess that makes the real difference.
    wolf_z
    • Spot on!

      Yes, I agree. I've found that their open approach to responding to the issue is refreshing.
      nmcfeters
  • over-reaction!

    This article starts out by saying that data were leaked. That's not true. All Stanford knows is that a laptop was stolen, and there is no evidence the thief is accessing the personal info. Often times firms are too quick to announce breaches based on lost computers or backup tapes. Usually, the likelihood that these breaches will lead to identity theft is low. Meanwhile, the announcements confuse the public. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
    benjaminwright75205
    • Seriously?!

      If the laptop was stolen, they MUST proceed under the assumption that the data was leaked. To do anything other would be irresponsible.
      nmcfeters
  • Welcome to our world

    Over the last 6 months, the UK has had data breach after data loss, after theft after security problems. You name it, we've had it.

    Millions of drivers details were "lost", then two CD's from the Home Office went missing containing bank details and National Insurance (same as Social Security) numbers of <i>every parent</i> in the UK, protectively marked "TOP SECRET" documents left on a train just south of London...

    It makes me think, as mentioned in the article, why <i>do</i> people leave these things on individual devices or media?
    zwhittaker
  • Maybe They Should Start Praying

    But I think you meant they fell "prey."

    I have a little spell checker
    It came with my PC
    It plane lee marks four my revue
    Miss steaks aye can knot see... ;)
    MichP
    • Anytime pal

      Who cares if you are the spelling bee champion of wherever you are from? It means nothing. Everyone could understand the article without your comment. Don't waste our time.
      nmcfeters
  • The attitude towards data security reeks everywhere

    The City of Fort Worth has a program for its employees to promote good healthy habits and progress towards healthier bodies, etc.

    Towards that goal there are several "fairs" per year where the employees can come in and get tested in a large variety of ways. They receive printed letter with all of the health results and recommended action for improvement. My hangup is the employee's social security number is on every single record and printed on every page of the report mailed to the employee's home.

    I grieved to the health coordinator that this probably violates HIPPA as well as not being good policy. We all have employee serial numbers that would work just as well.

    Her answer was two fold:
    1) the data is stored at a vendor Web site, not on City computers (!)
    2) she was doing the best she could to keep things going as they are.

    HELLO!!!!!
    jonsaint@...
  • RE: Stanford University data breach leaks sensitive information of approximately 62,000 employees

    We all need to work from 8-5 and not take any work home. This "taking work home" is dangerous since some of this information we take home is personal information of others so we need to make sure that data is secure and safe.
    In short we all need to have lives when we get home and not be slaves to work.
    The hyper-competitive nature of our current society is going to kill us one way or another.
    phatkat
  • RE: Stanford University data breach leaks sensitive information of approximately 62,000 employees

    WHAT in the name of everything that makes sense was this data doing on a LAPTOP to begin with? And, I agree - it was certainly unencrypted..........http://whistlersear.wordpress.com
    nellwal@...