News

• Current News
• Campus IT Memos
• IT News Archive
• HSC-ITS IT Update
• IT Calendar
• Cool Stuff
• Leadership Home
• OIT Home

Mobile Computing and IT Security

To:       University of Utah Faculty and Staff
From:   Stephen Hess, Associate VP for Information Technology
Subject: Mobile Computing and IT Security
Date: October 4, 2006

 

The purpose of this memo is to re-emphasize the University Information Technology Resources Security Policy found on the web at http://www.admin.utah.edu/ppmanual/1/1-18.html.

Many of the major IT security incidents which have been broadly reported by the news media involve the loss or theft of portable computing and storage devices and media such as:

- Laptop computers
- Palm, Blackberry, and other PDA devices
- Cellular phones
- USB devices (keys, jump drives, thumb drives, flash drives, iPods, etc.)
- CDs and DVDs
- Hard Drives (external drives or internal drives that have been removed from a PC)
- Any other computing or storage device that may be portable, including desktop computers.
- Paper documents (printouts, forms, etc). Paper is a storage media.

The Policy states that "The Dean, Department Chair, or Vice President must grant permission to the User" to have access to "Private Sensitive Information, such as Social Security Numbers, financial information including credit card numbers and bank information, or protected health information, including health records and medical information."

If you require access to private sensitive information to complete your job functions, and you need to transport that information on a mobile computing or storage device, you must seek approval from the appropriate authority as stated in the Policy.  The data should be encrypted, and must only be accessed with a strong password or token.

The following stories, all from this week, highlight the problems that can occur when private sensitive information is stored on mobile devices.

***********************************

--Stolen Laptop Holds Data on 50,000 GE Employees
(25 September 2006)
A laptop computer stolen from the locked hotel room of a General Electric employee holds the names and Social Security numbers (SSNs) of approximately 50,000 current and former GE employees.  A company spokesperson said GE is offering all affected individuals a year of free credit monitoring.

http://www.wten.com/Global/story.asp?S=5452721&nav==6uyN

 

--Missing Jump Drive Holds Hospital Employee Data
(23 September 2006)
A USB storage device reported missing from a locked office on September
15 contains the names and SSNs of approximately 4,150 current and former Erlanger Hospital (TN) employees who had undergone employment status changes between November 2003 and September 2006.  Hospital officials say letters were sent to affected individuals within 24 hours of learning of the breach.  An additional 2,050 current employees who were not affected by the breach also received letters describing the incident.  An employee who was working with the data and noticed them missing notified his supervisors promptly.

http://www.tfponline.com/absolutenm/templates/breaking.aspx?articleid=5100&zoneid=41
http://www.erlanger.org/media/statement.asp

 

--More Than 1,000 Commerce Dept. Laptops Missing Since 2001
(22 September 2006)
The US Department of Commerce has acknowledged that 1,137 laptop computers have been lost or stolen since 2001.  Of the missing computers,
249 hold personally identifiable information.  Some of the computers are protected with passwords; some are fully encrypted.  Six hundred seventy two of the missing laptops were from the Census Bureau, 246 of which hold personally identifiable information.  The other three computers holding personally identifiable information are from the National Oceanic and Atmospheric Administration.  Commerce Secretary Carlos M. Gutierrez estimated approximately 6,200 households could be affected by the data security breach.  The agency conducted the review "in response to a Congressional request and public inquiries."  House Government Reform Committee Chairman Tom Davis (R-Va.) has requested that all agencies report all security breaches.  "Davis has proposed legislation that would require the Office of Management and Budget to establish policies for agencies to follow in the event of a data breach."

http://www.govexec.com/story_page.cfm?articleid=35081&printerfriendlyVers==1&
http://www.washingtonpost.com/wp-dyn/content/article/2006/09/21/AR2006092101602_pf.html
http://www.fcw.com/article96204-09-22-06-Web&printLayout
http://www.gcn.com/online/vol1_no1/42094-1.html?topic=security

 

--Student Financial Aid Application Data Misplaced
(20 September 2006)
Berry College (GA) officials have been notified that sensitive student data in both paper and digital form have been lost.  Apparently a consultant misplaced the data at an airport.  The data include names, SSNs and reported family income for 2,093 students and applicants who submitted a free application for Federal Student Aid to the college in
2005 and 2006.  More than half of those whose data were compromised are enrolled at the school.  The college is notifying those affected by the breach individually.  A hotline and a webpage have been established to help those with questions about the breach.

http://news.mywebpal.com/partners/680/public/news748399.html

 

--U of Colo. Business School Computers Missing
(25 & 22 September 2006)
The Leeds School of Business at the University of Colorado is in the process of notifying 1,372 current and former students that their names, Social Security numbers (SSNs) and grades are held on two computers that have been missing.  One of the computers has since been found.  The computers were reportedly placed in storage in May during a move to temporary quarters; when the items were removed from storage in late August, two computers were unaccounted for.  University police are investigating.  The school has established a hotline for those who receive letters about the breach and have more questions.

http://www.colorado.edu/news/releases/2006/308.html
http://www.thedenverchannel.com/news/9924211/detail.html

 

--Purdue Univ. Notifying Affected Students of Possible Data Breach
(22 September 2006)
Purdue University is notifying approximately 2,500 individuals who were students at the school in 2000 that their personal data may have been compromised.  The data include names and SSNs.  A security check of an administrative workstation in the University's Chemistry Department found that a file might have been accessed by a cyber intruder.  Purdue has established a toll-free number for people who believe they may be affected by the breach.  Analysis indicated that the intruder obtained remote access to the computer's hard drive and installed software that would allow files to be downloaded.  Purdue University no longer uses SSNs as universal unique identifiers for students.

http://www.insideindianabusiness.com/newsitem.asp?ID=19775&print==1

 

--Computers, Storage Devices Stolen from Nagasaki Univ. Hospital Contain Patient Data
(24 September 2006)
A Nagasaki University official has acknowledged that six notebook computers holding personally identifiable data on roughly 9,000 patients were stolen from the Nagasaki University Hospital of Medicine and Dentistry.  The data include names, birth dates and medical diagnoses of patients who have been seen at the hematology division since the early 1990s.  The computers were stolen overnight between September 14 and 15.
The police were notified immediately.  Eight USB memory units and two hard disks were also stolen.

http://www.yomiuri.co.jp/dy/national/20060924TDY02007.htm

[Editor's Note (Honan): According to the report, "The data, based on patients' medical files, had been stored there for educational and academic purposes, and some of them contained detailed descriptions on the patient's medical histories"; this highlights the reason why live/real data should never be used in non-production environments where the levels of security controls may not be the same as those found in production environments.]

 

------------------------------------------------------------
Distribution of this message was approved by Stephen Hess, Associate Academic Vice President for Information Technology, University of Utah Phone (801) 581-3100, 101 Wasatch Drive, Eccles Broadcast Center, Salt Lake City, UT 84112