MONTANA UNIVERSITY REVEALS FOURTH PERSONAL-DATA BREACH IN ONE MONTH Bozeman Montana Local News
MSU reveals fourth personal-data security breach in one month
Montana State University is sending letters to 271 students and MSU employees to warn them that their Social Security numbers might have been exposed because of three separate security breaches.
One breach dates to 2002. Another involves an MSU employee's stolen laptop computer. MSU announced the latest breaches in a news release Tuesday, four weeks after another security breach that affected 1,400 people.
There's no evidence that anyone's personal information has been stolen by identity thieves, but MSU can't prove that didn't happen, said Jim Rimpau, the university's chief information officer. University officials wanted to act conservatively and alert people so they could check on their credit reports to make sure no one had stolen their personal information.
“What a horrible couple of weeks it's been,” Rimpau said.
“The odds are nobody has seen these things,” the personal data that could be used for “nefarious purposes,” he said.
The key to preventing future breaches is “better training, better awareness” among university employees, he said.
Two breaches occurred when employees tried to “save” information on their computers to secure MSU sites and accidentally sent the data to unsecured sites.
“If you're in a hurry, it can happen,” Rimpau said. “The solution is getting people to be more careful.”
One breach occurred when people in charge of a department's computer server failed to apply a security update or “patch,” Rimpau said.
“We take these incidents very seriously,” MSU spokeswoman Cathy Conover said in the news release. “We try to learn as much as we can from each incident ... to prevent these events from happening again.”
All four cases were the result of carelessness, Rimpau said.
* On Nov. 2, MSU learned that an employee's laptop computer had been stolen
* Also Nov. 2, an independent security watchdog group informed MSU that an Excel spreadsheet with the names and Social Security numbers of 42 people, most of them hired in the summer of 2006, was publicly accessible on MSU's Web site. The spreadsheet was removed immediately. The spreadsheet had been saved in error by a personnel and payroll employee in 2006 and mistakenly posted on the Web in July 2007.
* While investigating that breach, MSU data-security staff found another Excel spreadsheet accidentally posted on the MSU Web site since 2002. It contained the Social Security numbers of 13 people who got travel vouchers from thecomputer science department in the College of Engineering. It also was removed immediately. The College of Engineering plans to implement new procedures and increase employees' awareness to minimize exposure of personal information.
* On Oct. 12, MSU reported that a hacker had gotten access to a computer server that contained credit card and Social Security numbers of 1,400 people who enrolled online to take MSU Extended University courses in the past two years. The data weren't encrypted.
MSU spelled out in the letters to students and employees the steps people can take to protect themselves from identity theft. The information is also posted online at www.montana.edu/securityalert.
Rimpau said MSU generally uses randomly generated IDs for student and employee records, but must use Social Security numbers for student financial-aid and employee-payroll records.
“Although we feel horrible about this, it could be worse,” Rimpau said, citing other universities where thousands of students' personal data were accidentally placed online.
Gail Schontzler is at gails@dailychronicle.com somewhere off-campus. It contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to 2007. The data was not encrypted. University police and the Gallatin County Sheriff's Office were informed of thetheft . MSU said its residential life office will remove all sensitive personal information from portable devices to prevent this from happening again.
Posts
No comments:
Post a Comment