I haven’t seen this in the press yet, perhaps because breaches are so common in the news that people have become desensitized, but Kansas State University just announced it had a fair amount of computer equipment stolen via social engineering:
About $25,000 of computers and equipment was stolen the evening of Wednesday, July 19, from the K-State ID Center in the K-State Student Union. Police are searching for two white males in their early 20s, according to a July 20 news release from K-State’s Media Relations. Anyone with information about the crime is asked to call Detective Donald Stubbings, K-State Police Department, 785-532-6412.
The two subjects, described as wearing blue jumpsuits with “Fox Business Systems” logos, gained access to the ID Center by showing the on-duty Union manager what may have been a forged document and saying they were hired to do repairs on the center’s computers. Several computers, monitors, cameras, and printers were later found missing from the center.
No personal data was lost because it’s stored on a secured server, said Craig Johnson, manager of the ID Center. “Although we have a very secure database, we added enhancements Thursday and Friday to ensure a higher level of security, including a firewall and IP lockouts on the specific workstations stolen,” he said.
I’m not sure why the ID Center announced to the world that they are using IP blocks for the stolen computers. I think the reporter should have stopped with “the center took extra precautions after the theft”. The less info about the exact counter-measures in the immediate aftermath the more chance you have of catching the perpetrators.
On the other hand it’s great to hear a University say they had several control measures in place to prevent (and detect?) loss of identities, especially since the attack appears to have been well planned and very specific to their ID Center. Incidentally, a Kansas breach notification law (SB 196) went into effect July 1st, 2006, a little more than two weeks before the breach.
I wonder how they arrive at the “very secure” description of the database, and of the safety of the IDs on the stolen computers. Is that an independent assessment? Does it conform to a standard? After all, we have to wonder if the stolen equipment was also considered “very secure”? Over thirty states now have breach disclosure laws so I expect the clarification of “reasonable” security precautions is likely to become an interesting issue.
Oh, and good luck to the police with that descripton of two white males in their twenties wearing jumpsuits on a college campus in Kansas. Hopefully someone will have more detail. Otherwise they might as well put a search out for wheat, no?