By Gail Schontzler
Chronicle Staff Writer
November 07, 2007
Montana State University is sending letters to 271 students and MSU
employees to warn them that their Social Security numbers might have
been exposed because of three separate security breaches.
One breach dates to 2002. Another involves an MSU employee's stolen
laptop computer. MSU announced the latest breaches in a news release
Tuesday, four weeks after another security breach that affected 1,400
There's no evidence that anyone's personal information has been stolen
by identity thieves, but MSU can't prove that didn't happen, said Jim
Rimpau, the university's chief information officer. University officials
wanted to act conservatively and alert people so they could check on
their credit reports to make sure no one had stolen their personal
What a horrible couple of weeks it's been, Rimpau said.
The odds are nobody has seen these things, the personal data that could
be used for nefarious purposes, he said.
Chances are good that the stolen computer was taken by some kids who
wanted to pawn it or play computer games, he said.
The key to preventing future breaches is better training, better
awareness among university employees, he said.
Two breaches occurred when employees tried to save information on their
computers to secure MSU sites and accidentally sent the data to
If you're in a hurry, it can happen, Rimpau said. The solution is
getting people to be more careful.
One breach occurred when people in charge of a department's computer
server failed to apply a security update or patch, Rimpau said.
We take these incidents very seriously, MSU spokeswoman Cathy Conover
said in the news release. We try to learn as much as we can from each
incident ... to prevent these events from happening again.
All four cases were the result of carelessness, Rimpau said.
* On Nov. 2, MSU learned that an employee's laptop computer had been
stolen somewhere off-campus. It contained the Social Security numbers
of 216 students and employees who lived in on-campus housing from 1998
to 2007. The data was not encrypted. University police and the
Gallatin County Sheriff's Office were informed of the theft. MSU said
its residential life office will remove all sensitive personal
information from portable devices to prevent this from happening
* Also Nov. 2, an independent security watchdog group informed MSU that
an Excel spreadsheet with the names and Social Security numbers of 42
people, most of them hired in the summer of 2006, was publicly
accessible on MSU's Web site. The spreadsheet was removed immediately.
The spreadsheet had been saved in error by a personnel and payroll
employee in 2006 and mistakenly posted on the Web in July 2007.
* While investigating that breach, MSU data-security staff found another
Excel spreadsheet accidentally posted on the MSU Web site since 2002.
It contained the Social Security numbers of 13 people who got travel
vouchers from the computer science department in the College of
Engineering. It also was removed immediately. The College of
Engineering plans to implement new procedures and increase employees'
awareness to minimize exposure of personal information.
* On Oct. 12, MSU reported that a hacker had gotten access to a computer
server that contained credit card and Social Security numbers of 1,400
people who enrolled online to take MSU Extended University courses in
the past two years. The data weren't encrypted.
MSU spelled out in the letters to students and employees the steps
people can take to protect themselves from identity theft. The
information is also posted online at www.montana.edu/securityalert.
Rimpau said MSU generally uses randomly generated IDs for student and
employee records, but must use Social Security numbers for student
financial-aid and employee-payroll records.
Although we feel horrible about this, it could be worse, Rimpau said,
citing other universities where thousands of students' personal data
were accidentally placed online.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com