[Dataloss] University of MD mails 24000 SSN on front of envelope

Michael Hill, CITRMS mhill at idtexperts.com
Wed Jul 23 16:27:10 UTC 2008 

Lack of education and training given to employees, contractors and service 
providers to help spot security vulnerabilities.  Periodic training 
emphasizes the importance you place on meaningful data security practices. 
A well-trained workforce is just as important defense against identity theft 
and data breaches as are physical and electronic security.

In this case, I cant believe nobody in the whole process did not spot the 
SSN or at least question it when seeing a 9 digit number.  Training 
certainly could have uncovered this, though we will never know.




Michael Hill | T3i
Director Risk Management & Compliance
Direct: 404.216.3751 | mhill at T3i.com |
www.T3i.com
INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS | TRAINING



"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal advice 
nor legal representation. Check with your attorney in your State for legal 
advice. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination or distribution of this communication 
is prohibited.  If you have received this communication in error, please 
notify the sender via return email and delete it completely from your email 
system.  If you have printed a copy of the email, please destroy it 
immediately.



----- Original Message ----- 
From: "Kim Z. Dale" <k-dale at northwestern.edu>
To: <dataloss at attrition.org>
Sent: Wednesday, July 23, 2008 12:07 PM
Subject: Re: [Dataloss] University of MD mails 24000 SSN on front of 
envelope


> It seems odd to me how many incidents of SSNs printed as part of a mailing
> address occur.  Are all these places using the same software, or are 
> people
> just that bad at mail merge?  It seems like an odd thing to happen across
> multiple organizations.
>
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org 
> [mailto:dataloss-bounces at attrition.org]
> On Behalf Of Henry Brown
> Sent: Wednesday, July 23, 2008 9:42 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope
>
> From The University of MD Independent Daily Newspaper
>
> http://tinyurl.com/6j6rhv
>
> Social security numbers of students registered for fall 2008 classes,
> totaling nearly 24,000, were inadvertently printed on mailing labels for
> a parking brochure, the Department of Transportation Services said in an
> e-mail to students today.
>
> "The University apologizes, and deeply regrets this unfortunate mistake.
> We are taking aggressive steps to ensure that this does not happen
> again. We strongly recommend that you take appropriate precautions to
> mask, black out, or destroy this document after use," said the e-mail,
> signed by DOTS Director David Allen.
>
> The mailings were sent July 1, but the mistake was not discovered until
> July 8, when students began calling DOTS to complain, according to a
> website set up by DOTS specifically for this incident. The website can
> be found at http://www.transportation.umd.edu/parkingmailer/.
>
> The university is not aware of anyone's social security number being
> misused, added DOTS in the e-mail.
>
> The university will offer free Equifax reports to affected students, at
> a cost to the university of about $23 a person, said Vice President for
> Student Affairs Linda Clement. With Equifax, the students can monitor
> their credit or place a fraud alert on their account.
>
> Clement explained that when a DOTS employee collected names and
> addresses for the brochure, social security numbers and e-mail addresses
> would have appeared in the search, but were supposed to be removed from
> the labels. DOTS saw the e-mail addresses on the labels but didn't
> identify the social security numbers because they were not separated by
> the typical two dashes, she said.
>
> The incident is under investigation and the person involved has not been
> fired, Clement added. The delay in notifying students was due to the
> legal office negotiating a deal with Equifax.
>
> "We sincerely regret it," Clement said. "This is just an awful
> situation; we're trying to do everything we can to mitigate it."
>
> A letter explaining the situation and offering remedies will be sent to
> students Friday or Saturday, said Ann Wylie, the university president's
> chief of staff.
>
> "We were horribly upset that this happened," she said. "It was a human
> error."
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>

More information about the Dataloss mailing list