Cornell Computer Theft Puts 45,000 At Risk of Identity Theft 91
PL/SQL Guy writes "This afternoon, Cornell alerted over 45,000 current and former members of the University community that their confidential personal information — including name and social security number — had been leaked when a University-owned computer was stolen. A Cornell employee had access to this data for troubleshooting purposes, and the files storing the sensitive information were being stored on a computer that was not physically secure. The university is not disclosing details about the theft. This isn't the first breach for Cornell; last June, a computer at Cornell used for administrative purposes was hacked, and the University alerted 2,500 students and alumni that their personal information had potentially been stolen."
Keeping User Data in a University.... (Score:5, Insightful)
Re:from Ivy League to Bush League (Score:1, Insightful)
I was one of the 45K (Score:5, Insightful)
It is extremely frustrating. I encrypt my personal data when it is under my control. It is unforgivable that an institution that I pay this much can't do the same.
CIT is completely incompetent (Score:2, Insightful)
This is the same IT department that recently switched over its management software to peoplesoft. A wonderful web app that randomly throws COBOL errors and refuses to function.
Suprise Suprise.
I personally think this person was probably pretty far up the food chain. There was no indication they were let go, and who else would think they were this far above the regulations regarding encryption of personal data.
Re:Keeping User Data in a University.... (Score:3, Insightful)
Hell, I once worked at a place where HR sent the spreadsheet that contained every employee and their salaries in it to ALLSTAFF, not once, but twice. At the time I was the mail administrator, and it was a gigantic pain in the ass. I really didn't even have time to write a script to do it, I had to login to the server, and use Pine to turn everyone's mail into just another folder that I could access and I manually went in and had to find and delete the mail from like 300 people's inboxes.
Obviously, to this day, I'm nearly certain that a not insignificant fraction of the staff had actually downloaded it from the POP3 server before I could get to it, but I was too frenzied to actually get a count as I was tabbing around and deleting like a mad man.
Of course, the major question is, between my experience and this one.... why the fuck do people compile these things, load them into attachments or laptops and then do the stupidest things imaginable with them? Why do you need a list of everyone's salary or 45,000 people's social security numbers??? For what conceivable purpose would you take that out of the office or email it in bulk somewhere?
It just goes to show. No one cares about security until it's too late to care about it. If its not too late to care about it, they'll continue to ignore it, even after an incident until they have finally given away anything that could possibly be of value. At my business, I probably moved too fast to delete the file, so they had to screw up again to ensure their failure. At Cornell, losing 2500 accounts was too puny, so they needed to upgrade. Of course, given that there are like 17,000 undergrads at Cornell, they will probably need to screw up a few more times to make sure they have well and truly screwed over everyone who has attended there for the past decade or two.
I'm not bitter.
Re:Keeping User Data in a University.... (Score:3, Insightful)
Those lists become handy when you need to fire someone. You start with the highest salaried people, and then you slowly work yourself down the list until you recognize someone you dislike, or until you simply don't recognize a name.
At least they admit it.... (Score:2, Insightful)