By ANDREA L. FOSTER
Patrick A. Grant was stolen in April. A thief walked away with a laptop containing the University of Virginia biochemist's name and Social Security number, as well as those of more than 7,000 other professors, staff members, and students. The machine belonged to a university employee who had taken it off campus — and then it was simply taken.
The next month, Mr. Grant discovered that criminals had amassed at least $22,000 in debt under his name.
Mr. Grant believes the laptop theft, or a series of campus computer-hacking incidents years ago, led to his victimization.
"My suspicions lie with" both, he says, adding that he knows of no other circumstances in which his confidential data were exposed.
The April theft was at least the sixth college security breach involving laptops in 2008. Also in April, a consultant for SunGard, a major national software vendor, reported his laptop stolen. It contained confidential data on tens of thousands of current and former students on at least 20 campuses across the country. In June Stanford University had a laptop stolen that contained names, Social Security numbers, and salaries of 62,000 current and former employees.
The problem has grown as laptops' popularity has increased. The mobile machines can be carted to class, to the library, or off campus. But their easy portability also makes them great targets for thieves. People often leave laptops in cars or on a table while they take a bathroom break. In a flash, they're gone.
The consequences can be a nightmare for the institution as well as for the person coping with identity theft. Colleges can be penalized or lose funds under federal privacy laws if the missing machines contain sensitive data. And many states have recently enacted laws that require colleges to follow costly procedures for notifying those affected by security lapses.
As a result, more colleges are trying to rein in the use of confidential data on laptops. When such information has to be on a laptop, they are pushing encryption software to protect it. Some colleges are also subscribing to tracking services to recover stolen machines.
No Single Fix
There is no one way to prevent laptops from wandering and important data from wandering with them, says Marti Harris, a research director at Gartner Inc., an information-technology consulting firm. Ms. Harris helped write a report in 2006, "Stolen Laptops Denote a Growing Data Security Breach for Higher Education." The best approach, she says, is to attack the problem on multiple fronts.
That is now the University of Virginia's approach. In June the university issued a new data-security policy that, among other things, requires approval from top administrators before anyone can store confidential data on a computer. If they do get permission, the data must be encrypted using TrueCrypt, software that has been adapted to work with the wide variety of operating systems used by campus machines.
Shirley C. Payne, director for IT security and policy at the university, said the policy was not in reaction to the laptop theft. But she acknowledges that although the university had been preparing the policy change before the theft, it hastened to put it in place because of the incident. Campus police officers and the Federal Bureau of Investigation are probing the crime. They are withholding details of the case, like the name and job of the laptop owner, because of the investigation.
Hidden Data
To handle encryption, many colleges are purchasing software that is loaded onto the hard drives of laptops. Whole-disk encryption, rather than doing it file by file, is the preferred approach. Relying on individual computer users to determine which files contain confidential data and trusting them to encrypt those files is too risky, technology experts say.
Baylor University in 2005 was among the first to embrace whole-disk encryption. All university-owned laptops, a total of about 800 used by faculty and staff members, will be encrypted in this way by the end of July using software from the vendor PGP, says Adam L. Sealey, an information-security analyst at the university.
Employees have reported stolen laptops since the university encrypted data on them, but the university was not required to inform anyone. If the thieves had turned on the machines, they would have needed a password to load the operating system and automatically unscramble the data.
For the encryption to be effective, Baylor officials warn laptop users to turn off their machines when they're not in use. If they're stolen while turned on, sensitive data could still be compromised, says Mr. Sealey.
Limited Access
As another layer of protection, both Baylor and the University of Virginia are telling their employees to rid their laptops of Social Security numbers. Virginia, for example, is using software that scans files on computers to find those numbers and credit-card numbers so that they can be quickly deleted.
The university is also re-evaluating who is allowed access to sensitive data, and is stepping up its authentication procedures so that only approved people are able to view such data. Campus deans and vice presidents must approve requests by faculty and staff members to store confidential data about anyone connected to the university on any computer, including laptops.
Tracing Machines
Since laptops are expensive, some colleges also want to recover stolen machines. They've installed software on laptops to track their location and help identify thieves.
The University of Kansas Medical Center has tracking software on all its laptops used by faculty and staff members. The software is also installed on students' personal tablet computers, which they are required to purchase. The medical center uses a product called Computrace, made by Absolute Software Corporation.
Once the software is installed on the machines, they send out signals whenever they are connected to the Internet, and Absolute can trace those signals back to the Internet service provider used in that connection. Then the company works with police officials to subpoena the service providers and pinpoint a laptop's location and identify the thieves.
If a laptop is reported stolen, Absolute unobtrusively begins calling the machine every 15 minutes to track its whereabouts. After 30 days of trying to recover a laptop, Absolute gives up and offers its clients with premier service up to $1,000, depending on the value of the laptop.
The medical center has recovered some machines using this system, says Sherry L. Callahan, the medical school's director of information security. But others have not been retrieved because the thieves did not connect them to the Internet.
Ultimately, Ms. Callahan says, retrieval isn't as important as data protection. "Computrace is really great because we like to catch the bad guys," she says. "But encryption is what's really going to ensure that you're protecting the information that's on the laptop." The medical center is now using whole-disk encryption on about 1,300 laptops and tablets using a program called Endpoint Encryption from McAfee, a company that markets a suite of computer-security tools. Kansas, like many medical schools, is concerned about protecting patients' health data. The software costs between $50 and $65 per machine.
Mr. Grant wishes University of Virginia officials had been this aggressive about their computers.
After the April laptop theft, he learned that thieves in New York had opened checking and savings accounts in his name, using his Social Security number and a phony driver's license with his name on it.
They took control of his credit-card data, and sent money to the card online from someone else's bank account, another victim of identity theft. Then the thieves authorized cash advances from Mr. Grant's credit-card account to the fraudulent checking account. Over about 10 days, they drained $22,000 from the account via a cash machine.
Mr. Grant's bank is not holding him responsible for the debt. But he fears that his some of his colleagues whose personal data were inadvertently exposed by the university could also become victims of identity theft. In fact, just in the last couple of weeks another professor reported a similar crime.
http://chronicle.com
Section: Information Technology
Volume 54, Issue 43, Page A1