Earlier today, a breach report was submitted to DataLossDB.org involving Case Western Reserve University in Ohio. The April 4th notice, submitted by one of those affected, indicated that 600 people had names and Social Security numbers on two laptops that had been stolen.
Although the university is offering affected individuals free identity theft protection services, the notice was a tad light on breach details, so I contacted the university. A spokesperson kindly provided additional information, which I am summarizing below:
- The university-issued laptops were stolen from the university art studio building on campus. Neither laptop had any software installed that would permit remote purging of data following discovery of the theft. Neither laptop was encrypted.
- The approximately 600 individuals affected by this incident are master’s of arts and bachelor’s of arts alumni from 1987 to present.
- In response to a question as to whether the laptops were supposed to have been encrypted as per some university policy, the spokesperson replied:
All faculty and staff should have Identity Finder software installed on university-issued computers. This program is designed to identify and “clean” Social Security numbers. Both laptops had the software; neither had had the data scrubbed.
- As a result of this incident, the university will be doing more compliance/auditing work to ensure that the Identity Finder software is actually used as intended.