[Dataloss] University of MD mails 24000 SSN on front of envelope

David Scott david-scott at david-scott.net
Wed Jul 23 17:32:06 UTC 2008 

It's not a systemic or technical failure, particularly, and Kim essentially
nails it ("...are people just that bad at mail merge?").

The challenge is people - no technical system, policy or plan can overcome
laxity or ignorance (even deliberate intent to harm can be handled).
Everyone needs to become a mini security officer, and all activity needs to
happen through a security prism.  How to get there?

Awareness - through training and refreshers.  Also, a dominant security
culture must be maintained - an eCulture.  You may find interest my
interview at Boston's Business Forum, with editor and found Thomas
Faulhaber:

http://businessforum.com/DScott_02.html 

Regards and success,

David Scott
Author
I.T. Wars:  Managing the Business-Technology Weave in the New Millennium
www.david-scott.net
Google:  I.T. Wars - I.T. Wars now supports MBA graduate level courses at
the University of Wisconsin

Prior to initiating any major systems implementation or business change,
David Scott should be required reading for the whole team.  - Thomas
Faulhaber, Editor and Founder of The Business Forum (R), Boston


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Kim Z. Dale
Sent: Wednesday, July 23, 2008 11:07 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] University of MD mails 24000 SSN on front of
envelope

It seems odd to me how many incidents of SSNs printed as part of a mailing
address occur.  Are all these places using the same software, or are people
just that bad at mail merge?  It seems like an odd thing to happen across
multiple organizations.


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Henry Brown
Sent: Wednesday, July 23, 2008 9:42 AM
To: dataloss at attrition.org
Subject: [Dataloss] University of MD mails 24000 SSN on front of envelope

 From The University of MD Independent Daily Newspaper

http://tinyurl.com/6j6rhv

Social security numbers of students registered for fall 2008 classes, 
totaling nearly 24,000, were inadvertently printed on mailing labels for 
a parking brochure, the Department of Transportation Services said in an 
e-mail to students today.

"The University apologizes, and deeply regrets this unfortunate mistake. 
We are taking aggressive steps to ensure that this does not happen 
again. We strongly recommend that you take appropriate precautions to 
mask, black out, or destroy this document after use," said the e-mail, 
signed by DOTS Director David Allen.

The mailings were sent July 1, but the mistake was not discovered until 
July 8, when students began calling DOTS to complain, according to a 
website set up by DOTS specifically for this incident. The website can 
be found at http://www.transportation.umd.edu/parkingmailer/.

The university is not aware of anyone's social security number being 
misused, added DOTS in the e-mail.

The university will offer free Equifax reports to affected students, at 
a cost to the university of about $23 a person, said Vice President for 
Student Affairs Linda Clement. With Equifax, the students can monitor 
their credit or place a fraud alert on their account.

Clement explained that when a DOTS employee collected names and 
addresses for the brochure, social security numbers and e-mail addresses 
would have appeared in the search, but were supposed to be removed from 
the labels. DOTS saw the e-mail addresses on the labels but didn't 
identify the social security numbers because they were not separated by 
the typical two dashes, she said.

The incident is under investigation and the person involved has not been 
fired, Clement added. The delay in notifying students was due to the 
legal office negotiating a deal with Equifax.

"We sincerely regret it," Clement said. "This is just an awful 
situation; we're trying to do everything we can to mitigate it."

A letter explaining the situation and offering remedies will be sent to 
students Friday or Saturday, said Ann Wylie, the university president's 
chief of staff.

"We were horribly upset that this happened," she said. "It was a human 
error."

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list