Thursday, June 1, 2006

Personal Data of 1.3 million Borrowers Lost

Via the Austin Statesman.com -

Texas Guaranteed Student Loan Corp. said a contractor has lost a piece of equipment containing the names and Social Security numbers of 1.3 million borrowers.

But there is no evidence, the company stressed Wednesday, that the information has been misused.

The loss occurred May 24, but Texas Guaranteed didn't find out about it until Friday. It then spent the Memorial Day weekend identifying whose information was on the missing equipment. "It was not a security breach where someone hacked into our system," said Sue McMillin, Texas Guaranteed's president and chief executive. "At this point, we are not aware of any impact."

Round Rock-based Texas Guaranteed said it had sent encrypted electronic files containing the names and Social Security numbers to an office for Toronto-based Hummingbird Ltd., which helps companies manage large amounts of information. No other personal information was sent, Texas Guaranteed officials said.


A Hummingbird employee downloaded, decrypted and stored the files on a piece of equipment that was later lost. The companies declined to elaborate on what the equipment was, where it was lost or what specific law-enforcement authorities were notified other than to say it was local police in a U.S. city.

"I don't want to give out any information that could make it easier for anybody to do anything," Hummingbird President and chief executive Barry Litwin said. But, he added, it is "extremely unlikely" for the information to be used inappropriately because it is password-protected "many times over."






So the data is not encrypted but password protected? By what? The Windows XP login password? I love how the media always stresses how the information hasn't been used in bad way, instead of talking about what they are going to do to prevent it in the future. It doesn't make me feel comfortable to hear, "At this point, we are not aware of any impact."

Wait, I am aware of a couple impacts.

1) You lost the personal information on over million people.

2) Smart ID crooks are just going to wait 6 months before using the information. By this time you aren't watching and the customer is no longer watching. So saying that there is no bad activity at this point is just silly.

I will agree that most lost laptop cases do not result in massive ID crimes. Perhaps the thief just wants the quick money for the physical equipment. If this has been the case up to now, then we should call it luck.

Because real crooks with serious information security understanding can pull off a grab job like this in their sleep and then eat your account dry before you know what hit you.

No comments:

Post a Comment