Playing Hide and Seek with Private Records
The security breach case we’re about to talk about is both troubling and funny. Missing data found after a few days after the disclosure of the breach, or, in other words, playing hide and seek with personal records is what’s been happening at the Tennessee State University.
After spreading the news that a flash drive containing the financial information and Social Security numbers of more than 9,000 students, TSU thoroughly proceeded to notify their students of the security breach. They also backed their announcement with credit protection for those affected.
TSU has a policy about keeping Social Security numbers in protected files, yet the reality was that the missing flash drive wasn’t believed to be encrypted or password-protected. Pretty standard case up to now, as hardware is lost and leads to significant data loss, security policies are not complied with, etc.
But! Yes, there’s a “but”, a few days after the announcement, a student turned the flash drive in and TSU released the good news. No one really knows why the student had the drive or how he got it; let’s hope the internal audit will clear this mystery.
The fact that security policies are not really complied with no longer surprises any of us. But finding out that any student can get their hands on private records that easily is a bit troubling. And the position of TSU is a bit weird as well: ooouups, we’ve lost some pretty important data on our students! Oh, no, our bad, one of our students had it because we have protocol and policies just to show off!
March 11th, 2010 at 12:46 am
Let me begin by saying I have been a longtime fan, first time commenter. I figured I might as well say thanks for posting this piece (and all your others), and I’ll be back!