A costly reminder that encrypting a laptop doesn’t help if you don’t shut down the laptop

Add Tufts University to the list of educational institutions reporting a breach this year.

On July 7, the university notified the New Hampshire Attorney General’s Office that a laptop used by a professor conducting research at Massachusetts General Hospital also contained a file with information on applicants to Tufts’ Graduate School of Arts and Science for the Department of Psychology. The spreadsheet had been downloaded to the laptop in early 2010 and should have been removed, but never was.

When the laptop was stolen in late April 2011, the professor reported the theft to MGH and the police, but it wasn’t until June 16, 2011 that Tufts learned that the spreadsheet containing 73 applicants’ names, contact information,  Social Security Numbers, and some educational/academic information were  was also on the laptop.  The details of how/where the laptop was stolen was not indicated in the notification to the state or affected individuals.

Although the laptop was reportedly encrypted, the professor had some doubt as to whether it had been properly shut down after its last use, allowing the possibility that someone might be able to access the data.  As a result, Tufts offered those affected one year of free credit monitoring services.

About the author: Dissent