KSU joins long list hurt by data theft

June 23, 2005

By Carol Biliczky

http://www.ohio.com/mld/ohio/news/11964095.htm



KSU joins long list hurt by data theft

Many companies, universities smarting after thieves take sensitive information

A little over a week ago, someone lifted a Kent State laptop out of a staffer's car.

Just like that, there went identifying information on 1,400 current and former KSU employees.

While Kent State is cringing, it is far from alone. Many colleges and companies nationwide -- from Wells Fargo Bank to MasterCard to Ralph Lauren -- are smarting from thefts of sensitive information.

With so much information out there and so many thieves eager to milk it, the computer industry has the makings of a perfect storm, said Robert Richardson, editorial director of the Computer Security Institute, a professional organization in Philadelphia.

``Companies have been slow to take this stuff seriously,'' he said. ``If you just pulled their names out of a hat, you'd find their policies aren't sufficient.''

Among colleges and universities, Purdue, Stanford, the University of Michigan and Duke have been the victims of thefts or hackers recently.

Consider Cleveland State.

Earlier this month, a thief stole a laptop from CSU's admissions office with the names, addresses and Social Security numbers of 44,000 current, former and potential students.

The laptop has yet to be found, university spokesman Brian Johnston said.

In the Kent State incident, a human resources administrator left a university laptop in his vehicle at the Wal-Mart at Severance Center in Cleveland Heights on June 14.

Personal information

Greg Seibert, Kent's director of network services, said the laptop contained a hodgepodge of current and dated information on 1,400 staffers. Names, Social Security numbers and sometimes birth dates were listed.

Seibert said the employee worked in labor negotiations -- two unions are negotiating with KSU -- and in state reporting, and was allowed to take the laptop home.

That is a rare privilege, Seibert said. ``Less than 20, possibly just five or 10'' staffers have that luxury, he said.

Perhaps even fewer should, suggested Richardson of the security professionals organization.

``Never leave confidential (information) in a car unattended, locked or unlocked,'' he advised. ``This is common sense.''

If staffers must go off site with a laptop, sensitive computer material should be encrypted, he added.

An encryption is different from a password, which can be unlocked by those in the know. Even if a thief does break the password or otherwise gets into the hard drive, he or she would get a meaningless jumble that couldn't be unlocked without a secret encryption, or code. Kent State has been encrypting its data, but hadn't gotten to the computer that was stolen, Seibert said.

Cleveland State's stolen data also wasn't encrypted, said Johnston.

Other defenses

There also are ways to design files by obscuring identifying data. The hacker or thief won't know which address goes with which birth date or name, Richardson said.

``We should automatically be thinking, `How can I protect that? What can we do to make theft unlikely and to make that less dangerous if it happens?' '' he said.

There's no evidence that thieves have used the information that was buried in the Kent and Cleveland State computers, officials say. Both universities are making free credit reports available to those who may have been affected.

And there's no evidence that thieves targeted these particular laptops. Officials suggest that the thefts were crimes of opportunity, not design.

But it's not safe to assume that the thieves won't find out what they've got, Richardson said.

``You had better hope they don't know how to do it, because they're the kind of person who will,'' he said.


main page ATTRITION feedback