Wednesday, July 18, 2007

107,000 More Records Compromised

This time it's 27,000 names, addresses, and credit cards numbers lost by Kingston Technology Company and 80,000 names, addresses, and social security numbers lost by the Louisiana Board of Regents.

Kingston Technology (27,000)
Wouldn't you know it, there is no mention of this breach anywhere on Kingston's homepage.

Apparently the data was taken through unauthorized access of purchase information made at What makes this interesting is that this breach supposedly happened in September, 2005 but went undetected until "recently".

Who is the victim?
"After confirming what data was accessed and who was affected, Kingston had to gather the appropriate contact information and arrange for consumer protection services and materials to notify the impacted consumers," the spokesman said.

Sound Familiar?
"The note added that, for the moment at least, there is no evidence that the illegally accessed data has been misused"

Kingston has an impressive track record of protecting information, and I get the feeling that they will only improve.

News: Computerworld
Letter to the New Hampshire Attorney General

Louisiana Board of Regents (80,000)
The Louisiana Board of Regents has a link on their homepage to some additional details.

I have to admit, this one has me a little miffed! I do not like how the data was compromised, how long it took to detect it, or the official Board of Regents (BOR) response.

The Compromise
A student found/stumbled on the data using Google. The student found a database of student names and 150 other files that he claimed contain up to 75,000 more names of students and employees. This information was accessible from the Internet without any protection whatsoever. According to BOR:

Groups Potentially Affected

Any student who was enrolled in the 10th grade at a Louisiana public high school and took the EPAS (Educational Planning and Assessment) Plan test between 2001 and 2003.
Any Louisiana public college or university faculty or staff member who was employed in either 2000 or 2001.

It is unclear how long the data may have been exposed, but it may have been "as long as two years".

The Response
The official response leaves something to be desired, for sure! Basically, all the BOR seems to have done is make the data inaccessible and offer some tips for those who may have been affected. How about STOP USING SOCIAL SECURITY NUMBERS AS IDENTIFICATION!!!

While researching this incident, I found a document titled "File Layout STS Student Transcript System". Data Element Name: State Identification Number --> Social Security Number, if available. Otherwise, a temporary number assigned according to LDE guidelines.

News: WDSU News Channel 6

No comments: