UVa Laptop Goes Missing with SSNs

Bad news for my fellow UVa employees: an employee’s laptop was stolen, and it contained names and Social Security numbers for 7,000 students and staff. Brian McNeill explains in the Progress that the university has contacted everybody whose data has gone missing, saying that they suspect the intended theft was of of the computer, not its data. The university uses SSNs as a primary identification number for many UVa employees, so it’s used whenever there’s cause to provide a unique identifier for a given employee, but they’re thankfully phasing that out.

12 thoughts on “UVa Laptop Goes Missing with SSNs”

  1. But not missing from UVA Grounds-the employee took it home or off Grounds where it was stolen evidently.

    Why are employees allowed to remove these laptops with sensitive info on them, from their offices? UVA has policies for everything else under the sun, why on earth is there no policy for this? This would be ONE policy they actually could enforce.

    Makes no sense.

  2. Jan, I assume UVA allows telecommuting by some employees like most employers do now. Laptops regulary move back and forth between home and work…….

  3. In fact, I telecommuted today, working out on my deck, while my dogs relaxed in the sunshine. But I think (I hope) I’d have better sense than to keep that sort of data on my local hard drive. That’s what secured network shares are for.

  4. Yeah, the university can’t really disallow taking laptops home — it’s not feasible. But if the sensitive data consists of SS#s, I’ll just say that it has been really easy (in the recent past) to end up with that data in one’s work files, simply because for a long time SS#s appeared on class rosters. They’ve now removed SS#s from current class rosters, but if you have old files/downloads on your computer, you probably do have SS#s. Employees should of course go back and cleanse/delete anything like that from old files, but….I’m not sure university faculty are the people most likely to think of the security concerns. Unlike someone like Waldo, for example, university faculty (in my experience) tend to be a little more stereotypically inept and unaware when it comes to matters technical.

  5. Now that you mention it, what really helps me is that I have no need to worry about students, student records, grading, or anything academic. Since SSNs are on many of those records, I can appreciate how it could be easy to accidentally end up with some SSNs at home. But 7,000, not so much. :)

  6. I was trying to figure out what kind of “work” employees need to take home involving 7000 ss#s. Having worked there for many years, no one I knew dragged laptops home with sensitive material on them like HR info, ss#s or whatever. And anyway, why don’t these folks have a personal laptop or PC at home they can use, especially if there are telecommuting? I mean, if one is lucky enough to be allowed to telecommute, shouldn’t a requirment be to have a home computer, evem if UVA pays for it? So folks aren’t dragging around a laptop to Starbucks? If properly authorized an employee can get into the UVA system and do whatever “work” they need to do from home. Many private companies require telecommuters to have a computer and a DSL line at minimum for security reasons.
    The reporter on this story is going to do a follow up because he got so many calls from staff and faculty. Folks are really pissed about this.

  7. And anyway, why don’t these folks have a personal laptop or PC at home they can use, especially if there are telecommuting?

    I’d argue this approach is actually more secure. Home systems are notoriously sketchy. People download all kinds of ridiculous crap. In a home with other family members, kids, etc., there’s just no way that it can be known to be safe. And if it’s a home system, they’re not bringing it in to be checked out, repaired, and updated by ITC/LSPs. It’s just trouble.

    On the other hand, my work system is a laptop. When I’m at the office it’s plugged into a monitor, keyboard, mouse, and Ethernet. When I’m at home it’s just a laptop. The distinction here is that, since it’s a work system that travels with me, it’s got all of the utility of being useful at home, but comes with the benefits of being a work system–subject to security audits, maintenance by LSPs, regular software updates, etc.

    On the whole, I think the practice of providing laptops to some employees makes a great deal of sense.

    If properly authorized an employee can get into the UVA system and do whatever “work” they need to do from home.

    That’s quite right. And that, I think, is how employees should be restricted to accessing SSNs (and other sensitive material) from off-site: over a secure VPN connection to the university’s network.

  8. UVA has secure servers where data can be accessed by employees from home. The data in question was simply stored on the hard drive of a UVA-owned laptop in an employee’s home. Yes, the file was password protected, but a quick Google search on hacking such a password would give you enough know-how to have you in the file in about 10 minutes. The real question: why was this data not behind one of UVA’s secure servers with remote access? UVA senior administration is silent on the issue.

  9. Ah, yes, the silence of UVA administration. They claim it’s because Albemarle PD is investigating and they want silence, but I smell a cover-up. UVA staff deserve better.

  10. Breaking news: there will be a public flogging with hot dish Friday at 4 for the employee in question. Please no three-bean salad. That is NOT a hot dish, people. This will be followed by an a capella sing-a-long and a round of VG while we mourn the loss of so many noble, southern SSNs (hopefullly no FFVs) and look forward to the next round of villainous data thievery (!) and/or utter incompetence under the shaded canopy of our dear, dear public ivy.

  11. I think that the following quote in today’s DP story following up on the identity theft/laptop security story, is very unfortunate:

    “Some dumb schmuck that broke into this car isn’t going to be too computer savvy,” said Lt. Todd Hopwood of the Albemarle County Police Department. “That’s what we hope for anyway.”

    Our strategy is that we hope the thief is too dumb to know what he’s got.

Comments are closed.