Blog

Archive for the ‘Security Breaches & Data Loss Incidents’ Category

« Older Entries

Zeus Compromises Student Data at University of Oklahoma

Monday, July 12th, 2010

The University of Oklahoma has revealed that a laptop compromised by a variant of the Zeus botnet may have exposed or compromised sensitive information on OU students–including Social Security numbers. There are no further details yet available regarding the scope of the potential compromise. According to this blurb from KOCO.com, though, “OU officials said they are not aware of any instances of identity theft or similar problems as a result of the breach, but they said they can’t be certain that student information was not compromised.

One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Tufts University Alumni Data Exposed by Malware

Monday, June 14th, 2010

What is it about networks and data at universities and medical establishments? It seems like almost every breach of sensitive or personal data is related to these two types of institutions. Are they targeted more often than other types of networks, or do they just have weaker security and poorer data protection mechanisms in place?

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Penn State Server Compromised by Botnet

Wednesday, June 9th, 2010

Penn State University has sent out data breach notification letters to nearly 16,000 individuals to let them know that a computer in its Outreach Market Research and Data office was found to be actively communicating with a malicious botnet and that personal information including Social Security numbers may have been compromised.

Penn State has not used SSNs as a student identifier for 5 years, however an archived copy of a legacy database apparently still existed on the compromised server.

A Penn State spokesperson explained that “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports. When a machine is compromised, it must be re-installed from known ‘good’ media before it’s allowed back on the network, since it’s not possible to truly clean a machine that’s been fully compromised.”

All of those are excellent security controls and fit nicely with established security best practices. However, the data itself should be encrypted so that if and when an attacker figures out how to circumvent those defenses the data itself will still be impervious to unauthorized access.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

An Unenforced Policy is the Same as No Policy at All

Friday, June 4th, 2010

The West Berkshire Council has just learned this lesson the hard way. According to a recent report of lost data “West Berkshire introduced encrypted memory sticks in 2006. But following an investigation by the Information Commissioner’s Office (ICO), it was also discovered that council employees were still using unencrypted memory sticks.”

In a perfect world, simply stating that data should only be stored on approved USB devices, and that all data on portable storage media must be encrypted would be good enough. In the real world, though, simply stating it is not good enough. Stating a policy–without any means of monitoring or enforcing compliance with it–is simply paying lip service to data protection and gambling that a data breach incident will never occur.

West Berkshire Council lost that gamble when an unencrypted USB memory stick containing sensitive information relating to the ethnicity, and mental and physical health of children was lost. The report also contains this quote “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”

The best option to ensure correct safeguards are in place is Zlock. Zlock allows IT administrators to restrict users from writing to data to unapproved portable storage media. Access can be locked down to devices from a particular manufacturer, or of a particular type. A specific USB memory stick can be associated with each individual user, and all other memory sticks can be blocked.

In the case of West Berkshire Council, Zlock would have been instrumental in ensuring  that users relied on the encrypted USB memory sticks they were issued four years ago, rather than storing data on the now lost unencrypted USB memory stick.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

How Many Stolen Laptops Does It Take?

Thursday, May 27th, 2010

You may or may not realize this, but one of the primary advantages of notebook and netbook computers is their portability. Being able to computer from hotel lobbies, corner coffee shops, and the random McDonald’s certainly has its advantages, but I’ll let you in on a little secret–thieves like the small size, light weight, and portability of laptops too.

Just in the past couple weeks there have been two incidents of laptops from medical centers being lost or stolen. One from the Oconee Physician Practices contained name, date of birth, gender, height and weight, blood pressure and some other medical data connected with the EKG from more than 600 patients. Another laptop from Loma Linda University Medical Center had patient’s name, medical record number, diagnosis, surgery date, and the type of procedure for more than 500 patients.

How many laptops have to be lost or stolen before IT administrators and executive management realize that data has to be proactively encrypted and protected? The investment in the right tools to do the job–like Zecurion Zserver Suite–is significantly less than the cost–financially and to the company’s reputation–from being responsible for compromising the sensitive and confidential data of customers or employees.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

Friday, April 30th, 2010

On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

UK Police Officer Emails Sensitive Information

Monday, April 19th, 2010

Oops. Have you ever hit SEND just as you realize that you are sending an email to the wrong person or group? Well, imagine how one Gwent Police officer felt when he accidentally forwarded an unprotected Excel spreadsheet containing sensitive information on over 10,000 people…to a journalist.

The officer, now facing a gross misconduct investigation and possible termination, sent an Excel file attachment containing names, dates of birth, and detailed results of criminal background investigations on 10,006 individuals dating back to 2001.

It is up to the Gwent Police to determine whether it was negligence, incompetence, or simple human error that led to this data breach. But, incidents like this are preventable if you remove the human error factor from the equation. Zecurion Zgate monitors inbound and outbound email for sensitive information and ensures that private and confidential data is handled according to established rules and policies and that sensitive data is not transmitted unencrypted.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Portable Hard Drive Theft Puts Client Data at Risk

Monday, April 19th, 2010

A portable hard drive containing unencrypted data was stolen from the car of an LPL Financial representative, putting the names, addresses, birth dates, and Social Security numbers of an undisclosed number of clients at risk.

In LPL Financial’s defense, there is an existing branch security policy requiring that all portable hard drives or laptops storing client data must be encrypted and accessible only by use of a passcode or key. Apparently, that policy was not obeyed in this case.

There are forty-five states with some sort of disclosure law requiring data breaches be reported, but only two states–Massachusetts and Nevada–actually require that personal client data be encrypted.

It is admirable that LPL Financial has an established policy mandating that data be encrypted, but as this incident illustrates policies can be broken. LPL Financial, and other companies serious about protecting data, should have a solution in place that doesn’t rely on human intervention to function. Sensitive data should only be allowed to be written to drives with the appropriate encryption mechanisms in place.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Stop Trying to Stay a Step Ahead of the Bad Guys

Tuesday, March 23rd, 2010

Face it–its a long race, with no end in sight, that you have little hope of winning.

Let’s back up a step (pun intended) for some context. The Sunridge Medical Clinic at the University of Calgary was recently victimized by malware which compromised a server–potentially exposing sensitive personal information on 4,700 patients.

Wayne Wood, a spokesman for the Office of the Information and Privacy Commissioner of Alberta, told the Calgary Sun “Every once in awhile someone figures out how to get past the firewall,” adding “It seems the bad guys are always two steps ahead in terms of technology.”

Now, in this case it doesn’t necessarily seem like the bad guys were two steps ahead. The compromised server was infected by two different viruses and staff discovered that the antimalware protection on the system was not up to date. So, really the problem is that the security on the server was two steps behind–not that the attackers were two steps ahead.

That said, why bother engaging in a foot race with the bad guys? There are certainly reasons that you will still want to have standard security measures in place: antimalware, firewall, etc. But, encrypting the data stored on the server will ensure that it can not be accessed or breached even if the server it resides on is compromised. With the proper tools in place, a server breach does not have to be a data breach and you can stop losing sleep over whether you are a step ahead–or two steps behind–the bad guys.

Posted in Security Breaches & Data Loss Incidents | No Comments »

« Older Entries