The Wall Street Journal reports the theft of 3.3 million student loan records, including Social Security numbers:
Company and federal officials said they believed last week’s theft of identity data on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowers.
Names, addresses, Social Security numbers and other personal data on borrowers were stolen from the St. Paul, Minn., headquarters of Educational Credit Management Corp., a nonprofit guarantor of federal student loans, during the weekend of March 20-21, according to the company.
ECMC said the stolen information was on a portable media device. “It was simple, old-fashioned theft,” said ECMC spokesman Paul Kelash. “It was not a hacker incident.”
What is particularly frustrating was that the records were stored on a portable media device. Given all the incidents where data was stolen from flash drives and laptops, one would think that companies would learn that storing millions of records on such devices isn’t a wise thing to do.
Since 2005, we’ve been hearing about a barrage of data security breaches. As the WSJ states:
All told, more than 347 million records containing sensitive information have been compromised in the U.S. since 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer group.
The problem is that despite all the attention data security has been receiving, it’s not getting any better. Skulls remain thick, and we keep learning of data security breaches that really shouldn’t be happening anymore. At some point, the excuse “Oops! We made a blunder” shouldn’t cut it.
It is unfortunate data security isn’t getting much better and the number and extent of data breaches isn’t diminishing. It is really problematic that we see the same types of bad security practices again and again and again. These trends suggest that we need stronger laws against bad data security practices.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.