NUI Galway’s Problem: Misplaced USB Flash Drive Containing Unencrypted Student Records
USB Flash Drive is a blessing to end-users, data files that we used to cram in 1.44MB floppy disks, burn in CD-Rs and saved in proprietary disk format Iomega Zip disks of the late ’90s. This same convenience comes with a huge cost if mishandled, flash drives are small, portable and easy to carry – it is also one of the most popular storage media to misplace.
This is exactly what NUI Galway’s dilemma, a lost USB flash drive containing 900 unencrypted personally identifiable records of students, including their test results, full names and other contact information.
“NUI Galway recently suffered a potential breach of personal data whereby a non-encrypted portable device (USB stick) was potentially utilized to store a confidential file containing a list of students. The device was mislaid and is now presumed lost. While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5pc of the student body, their student number, and exam results,” explained the University’s spokesperson.
As a classic case of negligence on the part of the handler in particular and the University itself in general, its officials have informed the possibly affected students about the incident. It is not clear if it is the University’s policy to use unencrypted USB flash drives for sneakernet purposes (the process of transferring data through sharing of a physical storage media instead of through the network/Internet).
“The University has taken into account the seriousness of this issue which has also been reported to the Office of the Irish Data Protection Commissioner who have considered the matter and issued guidance. The University has strict policies in place relating to the use of portable devices, in addition to a staff data protection training programme and online security training,” added the University spokesperson.
It is a very poor policy for the University to use removable storage mediums without encryption, as just losing it basically enables an unknown 3rd party to take a look at the files the USB flash drive contains in the clear. The University’s Student Union has taken a look at the case itself, as the student body is affected. It is potentially, all the 18,000 students of the University are affected, as the names of those 900 were never revealed if not unknown by the University officials.
“The college is calling for a full review, and we’re calling on them to make sure that review happens. It will explore why it happened and make sure these things are communicated with students as well. We need to take a look at the process of it,” said Megan Reilly, Student Union’s President of NUI Galway.
Free encryption software is built with Windows 7, 8 and 10’s Professional and Enterprise flavors, which can be used to encrypt USB flash drives. If the user favors open source software, VeraCrypt is also available for download for encrypting USB flash drives, SD-card or even hard drives. There is no reason for an organization such as a university or a company not to use encryption.
Kevin Jones932 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.