Small note for those who look for official disclosure and notification letters: the notification sent by the Educational Credit Management Corp (ECMC) to New Hampshire with a copy of its notification to those affected is now available online (pdf).
In other news on the breach, Kelly Jackson Higgins of Dark Reading points out that the breach occurred because of a failure to adhere to company policies and protocols:
David Hawn, chief business development officer for ECMC, said in an interview that storing such sensitive data on a removable device was a “very clear violation of our company policies and protocols.” He would not specify whether the device was a USB stick, hard drive, or other type of device due to the sensitive nature of the ongoing investigation by law enforcement. Hawn also was not able to reveal whether the data was encrypted, either.
Some news sources have been describing this breach as the “biggest ever.” While it is certainly not the biggest breach ever involving unencrypted SSN or personal information, it does seem to be the largest if you categorize the breach as educational sector instead of as financial sector.