Sunday, February 3, 2008

My Own Personal Data Exposure

Well, last week I got a message from the Georgetown Information Security Office. Apparently, a hard drive was stolen which contained information from students enrolled between 1998 and 2006, as well as some faculty and staff. The message said that no credit card information or other financial data was exposed, but that personally identifiable information of some students (and faculty and staff) was stored on the hard drive. We were reassured that there was no evidence that any of the information had been misused, but were cautioned to place a fraud alert on our credit reporting accounts just in case.

For me, the advice to place a fraud alert was a bit late, since I've had credit monitoring ever since someone (not me) opened a bank account in my name almost a year ago. Of course, I could do more (like place a freeze on my account), but, frankly, my risks are low enough that I don't see any need to it. Of course, there are still two things I'm curious about:

1) Why was the data stored on a hard drive that could be easily stolen (I'm guessing on a laptop)?

2) Why wasn't it encrypted (of course, the message didn't say it was unencrypted, but if it had been, you can bet that would have been mentioned)?

You'd think that in this day and age, an organization the size of Georgetown wouldn't store sensitive data on easily stealable hard drives, and would keep it encrypted as a matter of course.

No comments: