Champlain discloses possible security breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.burlingtonfreepress.com/article/20130603/NEWS02/306030008/Champlain-discloses-possible-security-breach

Personal information of more than 14,000 college applicants over four
years might have fallen into unauthorized hands, Champlain College
announced Monday in a statement.

The college stressed it “has no evidence of any attempted or actual
misuse of the information,” which includes names and Social Security
numbers. But the college has retained independent forensics experts to
investigate the incident and has hired a security firm to provide
identity monitoring services for one year for “students and parents
potentially impacted.”

A portable hard drive that contained information provided to the
Admissions Office was found to have been “inadvertently left in a
campus computer lab,” the college said.

The device included 14,217 Social Security numbers of students who had
applied for admission for fall 2010 through fall 2013. A “small
sampling” of students for graduate study or Continuing Professional
Studies also could be affected, the college said.

In addition to names and Social Security numbers, personal information
included what was provided in applications for financial aid.

The hard drive was left in the lab during the course of work being
done to replace the Admissions Office computer.

The device appears to have sat in the lab for up to 48 hours, said
David Provost, vice president for finance, at which point it was
discovered by a student who reported it. Upon retrieval it was erased
by information technicians according to standard protocol, Provost
said, so whether it had been accessed during the 48 hours could not
readily be determined.

According to a website created by the college about the incident, “The
drive was returned to the college’s Information Systems department and
an analysis of the data was begun. At this time there is no evidence
anyone accessed the drive or any evidence of malicious activity.”

Even so, the college said in its statement that it has “out of an
abundance of caution notified those potentially impacted of steps they
can take to monitor their identity, financial accounts, and credit,
should they feel it necessary to do so.”

In addition to forensics experts, the college said it has hired
privacy and data security legal counsel to assist with the inquiry and
the response to the incident.

“Our goal is to be forthcoming with the truth and to arm members of
our community with resources to prevent potential identity theft,”
Provost said in a prepared statement. “We are working to make sure
this type of incident doesn’t happen again and live up to the
expectations parents and students have of us to keep their information
safe. We are committed to getting this right.”

A year’s identity monitoring services by First Watch Technologies
Inc., paid for by the college, is being offered to all those who are
possibly affected.

The college also has established a confidential inquiry line staffed
by people who are trained in identity and credit protection and
restoration, according to the news release.

Provost said the college has insurance that it expected to cover the
cost of most of the measures taken in response to the incident.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.