OHIO DATA SECURITY AND COMPUTER THEFT http://media.www.cwruobserver.com/media/storage/paper1370/news/2009/09/11/News/Computer.Theft.Raises.Issue.Of.Data.Security.On.Campus-3768840.shtml
Computer theft raises issue of data security on campus
Lauren Hennen
In late July this past summer, a computer belonging to a Case faculty member was stolen. Laptop thefts are common on college campuses, but this theft was significant for one reason: the computer stolen had the names and social security numbers of 1384 Case students and alumni.
Prior to 2007, students' social security numbers had doubled as their student ID numbers. It was encoded on student ID cards and required whenever a student registered for classes. However, both students and campus faculty and staff recognized the potential risks inherent in widespread use of social security numbers, and Case Information Technology Services drafted a policy to eliminate the practice of using social security numbers as student identifiers. Under the new policy, social security numbers are used only for financial aid applications or student employment records.
"We've done a pretty good job of getting rid of social security numbers in common workflow spaces. It's not in the library, it's not on your badge," said Thomas Siu, Chief Information Security Officer at Case. "But there's still old data we have to go get."
Before 2006, professors would receive class lists containing both the names and social security numbers of the enrolled students. And while these documents now contain student ID numbers, evidence of the old system has been hard to eradicate. It persists, in part, through old class lists.
"In conversation that I've had with faculty, many are not aware they have data of this nature that needs to be protected or removed," said Siu.
The existence of class lists and other records containing student social security numbers poses the risk of identity theft, and it is a risk that ITS takes seriously. When the computer was stolen in July, an investigation into the theft was launched. Because the computer's data had been backed up, the university was able to determine who had been impacted by the theft. These people were informed of the security breach in an email sent out in August. In the email, the university offered a link to Zander Insurance, where affected students and alumni could sign up for a year's worth of free identity theft protection.
Prior to 2007, students' social security numbers had doubled as their student ID numbers. It was encoded on student ID cards and required whenever a student registered for classes. However, both students and campus faculty and staff recognized the potential risks inherent in widespread use of social security numbers, and Case Information Technology Services drafted a policy to eliminate the practice of using social security numbers as student identifiers. Under the new policy, social security numbers are used only for financial aid applications or student employment records.
"We've done a pretty good job of getting rid of social security numbers in common workflow spaces. It's not in the library, it's not on your badge," said Thomas Siu, Chief Information Security Officer at Case. "But there's still old data we have to go get."
Before 2006, professors would receive class lists containing both the names and social security numbers of the enrolled students. And while these documents now contain student ID numbers, evidence of the old system has been hard to eradicate. It persists, in part, through old class lists.
"In conversation that I've had with faculty, many are not aware they have data of this nature that needs to be protected or removed," said Siu.
The existence of class lists and other records containing student social security numbers poses the risk of identity theft, and it is a risk that ITS takes seriously. When the computer was stolen in July, an investigation into the theft was launched. Because the computer's data had been backed up, the university was able to determine who had been impacted by the theft. These people were informed of the security breach in an email sent out in August. In the email, the university offered a link to Zander Insurance, where affected students and alumni could sign up for a year's worth of free identity theft protection.
Though Siu said that the university took the cautious approach in dealing with this theft, those who investigated believe that it is unlikely that the person responsible knew about the existence of student social security numbers on the computer.
"This was part of a larger theft, so it's not a good assumption that [the computer] was stolen for data," Siu said. More likely, he said, it was taken for resale value.
A Case senior affected by the theft said that while he appreciated the free identity theft protection offered after the fact, he wonders why it was necessary.
"I was curious what the faculty member was doing with all of those student social security numbers," he said. "The university's response was adequate, but I think more preventative measures could have been taken before the theft."
Those preventative measures are what the university is focusing on now, Siu said. Social security numbers need to be protected and while the university has made strides toward reducing identity theft risk, hunting down all of the old class lists and records with these numbers will take time.
"We have been using the social security system for over 20 years, so we will be wildly successful if we can get rid of it in a year. It's going to take iterations. We don't know where all those data are located," said Siu. "But having gotten rid of it in the workflow, that's the first step."
"This was part of a larger theft, so it's not a good assumption that [the computer] was stolen for data," Siu said. More likely, he said, it was taken for resale value.
A Case senior affected by the theft said that while he appreciated the free identity theft protection offered after the fact, he wonders why it was necessary.
"I was curious what the faculty member was doing with all of those student social security numbers," he said. "The university's response was adequate, but I think more preventative measures could have been taken before the theft."
Those preventative measures are what the university is focusing on now, Siu said. Social security numbers need to be protected and while the university has made strides toward reducing identity theft risk, hunting down all of the old class lists and records with these numbers will take time.
"We have been using the social security system for over 20 years, so we will be wildly successful if we can get rid of it in a year. It's going to take iterations. We don't know where all those data are located," said Siu. "But having gotten rid of it in the workflow, that's the first step."
No comments:
Post a Comment