[ISN] VSC narrows down personal data exposed by laptop theft

[InfoSec News]

http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20060406/NEWS/604060353/1004/EDUCATION05

By Darren M. Allen 
Vermont Press Bureau 
April 6, 2006 

MONTPELIER - A month after the theft of a laptop computer containing
personal information of thousands of students and employees of the
Vermont State Colleges system, officials are narrowing down the types
of private information that were exposed.

In a system-wide e-mail sent Monday to students, faculty, staff and
alumni of the five state colleges, VSC Chancellor Robert Clarke
emphasized the colleges' assertion that no personal information has
been accessed or compromised from the laptop, which has not been
recovered.

"We have no evidence to date that personal data were actually
retrieved or misused," Clarke said. "The laptop has not been recovered
by law enforcement, so our ongoing information requires working with
staff who may have exchanged e-mails and attachments with teams
including the owner of the stolen laptop."

The concealed laptop was stolen Feb. 28 from the chief information
officer's car while it was parked on the streets of Montreal. The car,
according to Karrin Wilks, the colleges' vice president for academic
and strategic planning, was broken into by someone who also stole a
pair of skis and other visible valuables.

The colleges have been under fire recently because they did not notify
the nearly 20,000 people whose personal financial information was
potentially available on the laptop until three weeks after the theft
occurred.

The faculty union has asked its attorney to look into why it took so
long to notify its members of the potential information breach, and
the state employees union has registered its displeasure as well.

In his memo this week, Clarke said the colleges' notified all banks in
Vermont, New Hampshire and New York on March 27 of the theft and
potential release of financial information.

The memo did specify the types of information that was potentially on
the laptop. College administrators said access to the system's
computer networks from the stolen laptop was immediately blocked as
soon as they were notified of the theft.

Employee information from June 2002 to November 2005 may have been
archived on the laptop. The data, which includes names, addresses,
Social Security numbers, salary, taxes, withholding and wage
garnishment information, as well as bank account numbers for people
with direct-deposit accounts, were not encrypted, the memo said.

Admissions information for all students from June 2002 to December
2004 could have been on the computer. That data includes names,
addresses, birth dates, Social Security numbers and academic records
such as college placement exams.

Clarke said that information on parents, spouses and dependents was
not on the laptop.

Wilks, in a brief interview Wednesday, said the VSC system is in the
midst of developing policies for future breaches of information. She
said VSC over the weekend also mailed detailed information about the
theft to 50,000 students, former students, faculty, staff and former
employees.

The laptop theft was followed by an incident late last month in which
someone hacked into the Lyndon State College e-mail system. Someone
pretended to be the school's computer administrator, sending out a
mass e-mail in his name and warning about identity theft.

The hacker has not been identified, and a Lyndon spokesman on
Wednesday said the investigation was continuing.

Last fall, the colleges also had a computer security breach in which
the Social Security numbers of Vermont Technical College students were
posted on a school Web site.

Sensitivity to the disclosure of personal financial information is
increasing nationwide because of fears of identity theft. Armed with
such information, thieves can pretend to be other people and establish
credit in their names, drain their bank accounts and make charges to
their credit cards.

Sen. Patrick Leahy, D-Vt., has sponsored a measure in Congress that
would make it easier for consumers to protect their own information.  
This would include a provision forcing companies or entities who lose
information to inform their customers of the potential threat.

© 2006 Rutland Herald