Yottabytes: Storage and Disaster Recovery

Mar 11 2018   5:19PM GMT

Fresno State Hard Drive Theft Raises Questions

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


Another day, another missing unencrypted portable hard disk drive.

In this particular case, it was from the athletic department at California State University, Fresno (which athletic fans typically refer to as Fresno State University, despite the fact that Fresno is not a state). The school lost a portable hard drive containing data about 15,000 people, “including names, addresses, phone numbers, birth dates, credit card numbers, driver’s license numbers and full or last four digits of Social Security numbers,” after a theft from the athletic department over the Christmas holiday that wasn’t detected until January 12. The data included former student athletes, sports-camp attendees and Athletic Corporation employees and were mostly from 2003 to 2014, the university said, adding that only about 300 of the people were still associated with the university.

This leads to the usual series of questions.

  1. Why wasn’t the data encrypted? That’s a lot of personally identifiable information. So what kept the university from encrypting the data?
  2. For that matter, why did the university collect 12 years of that data about 15,000 people all together in the first place? If the majority of these people are no longer with the university, wouldn’t it be a good idea to get rid of that data?
  3. And if that data had to be collected, why in the world was it on a portable hard disk drive? “Having sensitive information on an external hard drive is a breach waiting to happen,” writes Bailey Miller in YourCentralValley.com.
  4. Reportedly, 18 laptops were stolen from the department at the same time. Didn’t those laptops have hard disk drives as well? What sort of data is on those? Were they encrypted? Or were they all Chromebooks that connected to the university data via the cloud? Given how often laptops and hard disk drives seem to walk away, wouldn’t it actually make sense to use a Chromebook or some similar system?
  5. Why did it take almost two months from the time the theft was detected until letting the potential victims know? “Notification of affected individuals began this week as soon as University officials could verify the extent of the breach and the names and contact information of those affected, and the proper notification process.” Okay, but *why* does it take that long? Don’t criminals usually try to use such numbers right away before the victims know they’re missing?
  6. Why did it take so long to discover that the portable hard disk drive was one of the items stolen, if the theft happened over the Christmas break? Interestingly, the school’s announcement said only that the hard disk drive was “reported missing” on January 12, not that it was stolen then. When was it actually stolen, anyway? A different notification indicated that the theft was during the last week of the year. So it took more than two weeks just to realize it was missing?
  7. That different notification also adds that “health-insurance numbers and personal health information” could also have been part of that data. Why was that fact left out of the other notification? How much do people have to worry about having their health information compromised or their health insurance used by someone else?
  8. How do they know exactly what data was on that hard disk drive? If it’s simply a dump of the university database, aren’t those people wondering why the university has that data? (One story noted that the CIO had to go through a million files to determine what data was on the drive.)
  9. Oh, so “there is no reason to believe that the hard drive was stolen for the information it contained” and that the thieves didn’t know what was on it. WELL, GUESS THEY KNOW NOW, DON’T THEY? Yes, there’s reasons why these thefts have to be promoted the way they are, and security through obscurity doesn’t work, but these announcements do seem counterproductive sometimes.
  10. Even if the thieves didn’t steal the hard drive for the data, wouldn’t they check the hard drive to see what goodies might be on it before fencing it, even if they were only looking for a bootlegged copy of Girls Gone Wild? “There’s this implication that the information was not or will not be accessed because the hard drive wasn’t stolen for the information,” writes AlertBoot, a security vendor, in its blog. “How faulty is that logic? Let us assume that some guy boosts a car because he’s going to sell it to a chop shop. Are you telling me that he’s not going to maybe take a peek in the glove compartment box or the trunk because he stole the car for its hardware, and not its content? Possibly lift up the armrest to access the center console? Steal the quarters in the ashtray?”
  11. “To help reduce the possibility of similar incidents from happening in the future, Fresno State is reinforcing its procedures with its employees regarding the proper storage of confidential information and the importance of protecting portable electronic devices.” You think? Like, maybe not using portable electronic devices at all? And encrypting them if for some reason they’re necessary?
  12. Victims are being offered the usual free year of credit monitoring. Ever wonder whether credit monitoring companies stage these thefts to help keep themselves in business?

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • BigKat
    12. Victims are being offered the usual free year of credit monitoring. Ever wonder whether credit monitoring companies stage these thefts to help keep themselves in business?

    That sounds like a something from a parody spy movie bad guy
    9,460 pointsBadges:
  • jonpcasey1977
    Until there are monetary or other repercussions, these security weaknesses will continue.
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: