Global Financial Aid Services reports a completely avoidable security breach
For those who remember the Peter, Paul, and Mary song, feel free to sing along with me: “When will they ever learn? Oh when will they ever learn?”
Global Financial Aid Services of Gulfport, Mississippi recently notified the New Hampshire Attorney General’s Office that a laptop containing unencrypted student names, addresses, and Social Security Numbers was stolen.
By letter dated May 23, GFAS noted that the theft occurred April 17 in a hotel conference area during a symposium in Hawaii.
The total number of students affected by the breach was not indicated, but the letter to affected students is irritating to this privacy advocate, to say the least. First, the letter claims that “We have taken steps to address it [the security situation] out of an abundance of caution.” How is notifying people that they are now at increased risk or reminding your employees of proper security measures and protocols an “abundance of caution?” It’s not.
Second, the letter tells the affected students, “The laptop is equipped with technology designed to prevent unauthorized access and we have no evidence your information has been accessed.” What technology are they referring to? The password on the computer or something else? In their cover letter to the state, they do not indicate that the laptop was equipped with any software that would enable them to determine if the contents of the drive were accessed. So is this just a fancy way of making a simple password sound more protective than it really is or do they really have some genuine security technology on the laptop?
Third, although the cover letter to the state indicates that students’ addresses were on the laptop, the letter to students makes no mention of their addresses, and tells them that their “[client] account number, social security number and name” were stored on the computer. The cover letter to the state does not inform the state that client account numbers were also involved.
So no, I am not impressed at all by the breach notification and disclosure. And why, oh why, are we still seeing students’ Social Security Numbers in use for purposes that have nothing to do with Social Security, and why, oh why, are we still seeing laptops with unencrypted data being stolen? Enough already…
/End of Rant