Report shows high rates of data theft at University

by Devin Henry

For the second straight year, the University was named in a national report looking at incidents of digital information loss.

The Feb. 11 report, called “Educational Security Incidents (ESI) Year in Review – 2007,” included the theft of a University laptop from a locked car last summer.

on the web

To read the full report, go to esi/yir_2007. “Educational Security Incidents and the opinions expressed in this response are my own and my not reflect the views of the university.” Notes Adam Dodge.

The unencrypted laptop contained student names and IDs, as well as grade and enrollment data. It was stolen from a car in California.

The incident was one of 139 separate breaches reported by the 112 colleges and universities named in the report.

Adam Dodge, the assistant director for information security at Eastern Illinois University, compiled the list, which consisted of six incident categories.

“The purpose of the study is to provide solid information on exactly what types of threats exist to the information and information resources at colleges and universities,” he said in an e-mail.

Dodge compiled the report by reading news stories about information loss at colleges and universities.

The loss of the computer fell into the theft category of the report. Overall, there were 39 cases of theft among all the reported colleges in 2007.

Ken Hanna, director of Office of Information Technology security and assurance, said the University has a policy mandating encryptions on laptops, such as the one stolen over the summer.

Hanna said people need to be responsible to ensure information safety.

“In the university environment, there are some many thousands of people around that we can’t run around after everybody,” he said. “We depend on the University community to follow the policies.”

Overall up, University down

There were 56 more incidents listed in 2007 than in 2006, an increase Dodge attributes to things like increased media attention, meaning he had more stories to choose from.

“It is almost impossible to stop breaches completely,” he said. “But by being aware of where we are vulnerable, institutions can work to drastically reduce the scope and impact of future incidents.”

In the 2006 report, the University was one of six schools that had three information-loss incidents.

This referred to the theft of three laptops in June and August of that year.

That number fell to one this year, but recent events such as the Dec. 28 loss of a University physician’s flash drive containing data about 1,300 patients could send that number back up in the future.

Hanna said one subtle cause of information loss stems from e-mail mistakes.

Everyone uses e-mail, Hanna said, but people need to be careful who gets which message.

“Inevitably, somebody doesn’t watch who they’re sending it to and they send it to someone who’s not authorized,” he said.

Protecting data on and off campus

Standards set up by OIT mandate “encryption of private data stored on laptop computers or other portable devices is required.”

Despite the mandate, Hanna said he wasn’t aware of any repercussions to the professor whose laptop was stolen.

“If it’s properly secured, it’s good, but the very best is to have the whole disk encrypted,” he said.

Nicholas Hopper, professor of computer science and engineering, said the University must balance different groups’ uses of University networks with security.

“I’m sure that they’re doing as well as anyone can do under those circumstances,” he said.

Hopper said common sense is a key to keeping data safe – making sure sensitive files are password or encryption protected, using official computers for work only, and not opening suspicious e-mails.

Even so, Hopper said data loss can be common.

“It’s probably just a fact of life that occasional data is going to be misplaced or lost,” he said.

Dodge said he can’t predict future security trends with only two years of data.

He did agree with Hopper about the future of information security threats.

“The goal is to use these incidents to create awareness, not to point out problems,” he said. “After all, security incidents happen.”