A data breach resulting from a stolen laptop has leaked sensitive information including Social Security Numbers of approximately 62,000 (as reported by Stanford University) former and current Standford University employees. The Privacy Rights Clearinghouse, a site devoted to the collection of data breach information, reports this number as 72,000, and I'm not positive which is more accurate at this time. Stanford's site says that original estimates placed the number at 72,000, so I'm inclined to believe that the number is actually 62,000.
This is just the newest example of a university falling pray to data breaches... in fact, if you look through the aforementioned Privacy Rights Clearinghouse site, you'll see numerous universities listed, with some pretty amazing numbers of records stolen.
For the record, this isn't to point the finger at Stanford, the point of the article is simply to suggest that just like financial service organizations, health care providers, etc., schools (and I say schools since this could translate to high schools just as easily) have an amazing amount of data available and typically have less stringent security controls and governing compliance demands.
More on the data breach below.
I've posted the response from Stanford University's site below. There's a couple of key areas I'd like to point out:
- First off, Stanford answers what happened, and I'm blown away by the fact that a single laptop contained this much sensitive data... I'm wondering what this laptop could've possibly been used for
- Stanford mentions what data was on the laptop and it is certainly very sensitive data
- Stanford refuses to comment on whether the data was encrypted due to the ongoing legal case... I'm not really sure why that would matter unless the data was not encrypted
- We should give Stanford some credit for jumping on this quick and actually getting as many facts as they could out to victims... data breaches are tough problems to handle
From Stanford University's website:
FAQ on Stolen Laptop IncidentLAST UPDATED: June 18, 2008.
Questions & Answers regarding a stolen laptop which contained restricted information about Stanford employees.
- What happened?A laptop was stolen that contained records of approximately 62,000 current and former employees.* On June 5 we learned that it contained restricted information. Immediately upon learning of this situation, Stanford mobilized to identify contact information for the affected individuals and sent e-mail notification to current employees, including faculty and staff. We are mailing notification letters to the rest of the affected individuals.
* Original estimates placed the number of affected individuals as high as 72,000.
- Am I affected?Your personal identifying information is likely to be in the data file if you received a paycheck from Stanford prior to September 28, 2007. This group includes faculty, staff and students who have been employed by the University in any capacity. SLAC and Stanford hospital employees are not in the file unless they previously worked at or are otherwise affiliated with the University. SLAC retirees may be included in the data file since they receive retirement benefits through the University. We are sending notification letters to let you know if you were one of those affected. If you do not receive a letter by June 30, 2008, please call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative and confirm if you are an affected individual.
- If I didn’t receive an e-mail or letter, does this mean that my information was not on the stolen laptop?No. While we tried to reach everyone whose information was on the laptop, we may not have current contact information for you. You can call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative and confirm if you are an affected individual.
- What will Stanford do to help mitigate the cost and inconvenience to me?Stanford is committed to providing enhanced safeguards against identity theft for affected individuals. We have entered into a relationship with Kroll, a New York-based risk-consulting company, to provide one year of credit reporting, credit monitoring, and identity-theft restoration services at university expense. If you were an affected individual, you will be receiving a notification letter describing how to take advantage of these services. If you do not receive a letter by June 30, please call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative and confirm whether or not you are an affected individual.
- What data was on the laptop?
- Name, gender, date of birth
- Social Security number
- Salary, business title, office location, office phone number, and e-mail address while employed by Stanford
- Home address and phone number while employed by Stanford
- Stanford ID card number and Stanford employee number
There are no driver’s license numbers, credit card numbers, bank account numbers or other financial information in this file.
- Has the data been misused?We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them. Often, such thefts are property crimes in which the laptop's hard drive is erased before the laptop is resold. However, to date, while we still have no knowledge that the information has been misused, we wanted to be sure that individuals who may be affected are notified of the risk so they can take appropriate action.
- Was the information encrypted?Because this is part of an active criminal investigation, we are not disclosing publicly the details of the protection of the data on the laptop.
- Why was this information on a laptop? How can you be sure a similar incident won’t happen again?The University’s policies follow best practices for protection of confidential information. Under Stanford’s policies, restricted data may not be stored on a laptop or any other unprotected system or device. Clearly, this incident violated our information security policies and procedures, and it demonstrates that we must have heightened vigilance in this area. To that end, Randy Livingston, Vice President for Business Affairs and CFO, will be leading a task force to review all policies and practices regarding safety and security of sensitive data.
- Is there an investigation into this incident?Stanford has reported the stolen laptop to law enforcement and is working with them to identify the perpetrator(s). We cannot discuss further detail of an active investigation.
- What else is the University doing?Stanford is working with law enforcement to recover the laptop. Stanford has alerted Human Resources and the Computer Help Desk about this incident, and will scrutinize any requests for changes to passwords or personnel profiles. Stanford is committed to working with our affected community members to safeguard against identity fraud that may result from this crime. If we discover a pattern of fraud over the next few months, we will provide further notification to everyone affected.
- What do affected individuals need to know to safeguard themselves?You will find complete and helpful information about your rights and precautions that you should consider taking at:
- California Office of Information Security and Privacy Protection
- Federal Trade Commission ID Theft Information
- Identity Theft Resource Center
- The Privacy Rights Clearinghouse
In addition, Stanford is making credit reporting, credit monitoring and fraud restoration services available to affected individuals through Kroll, a New York-based risk consulting company. If you were an affected individual, you will be receiving a notification letter by June 30, 2008 describing how to take advantage of these services.
- What have you done to inform affected individuals about the incident?We immediately began our effort to contact employees as soon as we learned that files on the stolen laptop contained sensitive employee information. We reached out to current employees by e-mail and are mailing notification to everyone else in the data file. We also notified the press. We want to be sure that the information reaches the broadest audience possible so that everyone affected will hear the news and have an opportunity to take appropriate action.
- Can I get more information?Currently, this is the most recent information that we have about this incident. We will be updating this FAQ if there is new information. In the meantime, if you wish to know if you are an affected individual, would like more information about Kroll’s services, or have other questions, please call 1-888-200-8799 between 6:00 a.m. and 3:00 p.m. (Pacific Time) to speak with a Kroll customer service representative.