Yottabytes: Storage and Disaster Recovery

May 14 2019   9:20AM GMT

The Strange Case of Seattle University’s ‘Lost’ Laptop

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
privacy
Security

There’s been another case of Companies Behaving Badly with customer data: In this particular case, Seattle University’s “lost” laptop.

“On March 28, 2019, Seattle University was informed by an employee that an unencrypted university-issued laptop was lost while the employee was commuting on a bus on March 26, 2019,” noted the university in its report, entitled Data Security Incident.

There’s several things to unpack in that sentence.

How do you “lose” a laptop on a bus? I can understand “I *left* a laptop on a bus” or “My laptop was stolen on a bus” but how do you lose one?

(In general, that whole sentence is a lovely example of the passive voice being used to remove agency from someone. What’s wrong with “An employee told Seattle University that they had left a laptop on a bus”?)

If the employee “lost” the laptop on March 26, why did it take until March 28 before the employee reported it? It’s not like it was over a weekend; we’re talking a Tuesday and a Thursday.

Let’s move on.

“After learning of the situation, the university immediately began an investigation led by Information Technology Services and has been able to confirm there were files on the laptop that contained the names and Social Security numbers of 2,102 current and former faculty, staff, and their dependents. Although no files with sensitive data were saved directly to the local hard drive, an offline email cache file on the laptop contained attachments with personal information.  The main file of concern was the result of an isolated incident in which an outside vendor emailed the file in error.”

How do they know this? How can they tell what’s on the laptop?

What is an “offline email cache file” and how do they know what’s in it?

Why is an outside vendor emailing unencrypted personally identifiable information (PII) to an employee in the first place, accidentally or not?

How does a vendor accidentally email a file with more than 2000 records of PII?

What was special about these more than 2000 people that they were on a list?

Is Seattle University still using that vendor?

How long ago did the vendor email that file? In other words, how long has this unencrypted PII been sitting in the employee’s laptop?

And more.

“The university recently hired a Director of Cybersecurity and Risk who has been actively involved in leading the efforts to investigate this incident.  In addition, we are redoubling our efforts to encrypt data on all university-managed laptops.”

To what degree was that hiring in response to this incident? Or was this incident simply a great example of why that person needed to be hired? What else has happened that led to that person being hired?

What efforts had the university already made to encrypt data on all university-managed laptops? What was keeping those efforts from working? What does “redoubling” consist of in this case?

Both the Seattle Times and the Associated Press have done articles on the incident, but the articles are simply rewrites of the security notice and don’t provide any additional information.

This isn’t the first time such incidents have happened with Washington universities; the Seattle Times noted that both Washington State University and the University of Washington have had similar incidents.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: