New security measures to address recent computer thefts
COPY LINK
BY ZACH VEILLEUX
A series of recent criminal incidents on Rockefeller’s campus this fall, one of which resulted in a breach of sensitive data, has led the university’s administration to tighten security at the 64th Street gate, plug holes in its surveillance network and formalize an existing data ownership policy. The incidents, all three of which involved unauthorized individuals entering campus, resulted in the thefts of computers and cash; there were no injuries.
The first incident, which occurred sometime over the Labor Day holiday weekend, was reported on September 7, when personnel working in the Bronk building separately notified Security that two computers were missing: a 20-inch iMac desktop and a Mac Mini. Two building occupants that had been working on September 6 later told Security they had encountered an unfamiliar person in the building. A review of security camera tapes, however, was inconclusive.
“It’s likely that whoever stole the computers managed to exit the building without passing a security camera, which was possible in Bronk,” says Jim Rogers, director of security.
In the second incident, a security officer on a regular patrol in Welch Hall encountered a man sleeping in a storage room on the first floor of the library at 8 a.m. on a Sunday. Although he claimed to be a Hunter College student who had been let in by a friend, Security was not able to substantiate his story and he was escorted from the campus. The same man returned three days later, attempting to enter at the 67th Street gate without showing ID; after being confronted by the guard on duty, he fled north on York Avenue.
Finally, on October 16, a student working on the 10th floor of the Weiss building called Security at 12:45 p.m. to report a suspicious person. She later discovered that $50 was missing from her pocketbook. Although Security responded and searched the building, he was not found. This time, security camera tapes were helpful.
“After reviewing the tapes, we were able to determine that he entered the campus via the 64th Street gate, slipping in after somebody opened the gate to leave,” says Mr. Rogers. He is then seen entering Weiss on the second floor, and leaving, about six minutes later, from the first floor. He fled by climbing over the fence near the chiller plant.
In all three cases, Security notified the NYPD and filed reports. In the case of the stolen computers, Security also notified the information security team in IT, which is standard practice when information resources are compromised. Information security personnel conduct their own investigation whenever equipment potentially containing sensitive university data is reported lost or stolen.
Marty Leidner, chief information security officer for the university, and his team spoke with the heads of the two labs involved and performed a series of forensic tests on data that had been backed up from the machines. “We found the names and social security numbers of approximately 30 people, mostly from fifteen-year-old documents relating to NIH grants,” says Mr. Leidner. Although the NIH stopped asking for social security numbers in 2001, it’s not uncommon for such sensitive personal data to exist in old documents that have long been forgotten deep within the file structures of computers, Mr. Leidner says.
“One of the best things people can do to safeguard this type of sensitive data is to keep their systems cleared of outdated and unnecessary documents,” Mr. Leidner says. “Deleting unneeded documents is the simplest solution, but if users want to archive their old data, we have a variety of methods that can help them do so safely, including hardware and software encryption tools.” IT also has software available that can help search for and redact certain types of personal information.
While it’s unlikely that the thief who took the computers was interested in their data, in most states law requires that breaches of sensitive data, including social security numbers, be reported, and that the victims be notified. To satisfy those requirements, the university’s General Counsel’s office reported the incident to the appropriate state agencies and sent a letter to the affected individuals explaining the situation and offering to pay for identity monitoring service.
“We’re fortunate that this incident was relatively small and did not involve patient data,” says Mr. Leidner. “But it’s a wake-up call to what could happen.” As a result, the university’s administration has formally adopted a data classification and ownership policy (available at it.rockefeller.edu/dataownership), which clarifies how certain types of data must be protected and emphasizes the responsibility of users to protect that data.
The university is working to install additional cameras in Bronk and has closed the 64th Street gate to both incoming and outgoing traffic during nights and weekends. “While we recognize this decision is an inconvenience for some, this gate is the weakest point in our perimeter security and we have now seen that it is the preferred point of entry for people who are looking to cause mischief,” says Mr. Rogers. “The only way to make it more secure when we can’t have a guard available is to disable it altogether.” Those who need to enter or leave the south campus between 6:30 p.m. and 5 a.m. and on weekends may do so using the turnstile adjacent to the 64th Street guard’s booth and the CBC or loading dock.
“Although we have relatively few incidents on campus, it’s important to remember that we are in a big city and all types of crimes do occur,” says Mr. Rogers. “People should be vigilant and notify security promptly when they see unfamiliar or suspicious people in their lab or on their floor. Security is a shared responsibility and the members of our community are in the best position to know when something’s amiss.”
