Blog

Archive for the ‘Security Breaches & Data Loss Incidents’ Category

« Older Entries

Trusting Employees Is Bad Security Policy

Thursday, November 10th, 2011

Companies like to be able to trust employees. This is particularly true in smaller companies, where the environment is more like a family and the founders/owners are often personal friends with the employees. In the end, though, business is business and it doesn’t mix well with personal trust–especially when it comes to protecting sensitive and confidential data.

Michael Pattison, the head of Allens Arthur Robinson’s technology law group is quoted saying, “Ultimately you trust people that you employ, so it’s depressing to find at times that the trust is breached.”

When employees leave a company–whether through firing or of their own accord–they often take proprietary and sensitive data with them out the door. Computershare is learning that lesson the hard way. An employee resigned and the company is accusing her of having stolen internal documents, emails, and possibly personal data and financial records of millions of shareholders that rely on Computershare’s global share registry.

A certain measure of trust is expected between employees and employers. If either party can’t trust the other to some extent, it creates a paranoid, hostile work environment. But, trust is a poor policy for data protection, and companies need to have tools in place to secure sensitive data even from the employees it is entrusted to.

Tags: , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Israeli Data Breach Has Terrorist Implications

Thursday, October 27th, 2011

Any time personal details and sensitive information are breached it’s a problem. Most of the time, though, people are concerned with receiving more spam, or–at worst–identity theft that could lead to funds being taken from bank or investment accounts, or debt being run up in the name of the victim. A data breach in Israel, however, put the details of virtually the entire population at risk in a way that could be used by terrorists or opposition forces to target certain demographics or individuals.

The compromised data includes names, ID numbers, addresses, birth dates, and other sensitive data such as relationships between individuals for 9 million Israeli citizens. The information was illegally distributed in a program called Agron 2006 which enables users to query the database and drill down through the data to identify demographic sectors of society, and trace the relationships between key individuals. In the wrong hands, this information could be used to target certain groups or individuals, and put their extended families and friends at risk as well.

The Justice Ministry investigation has been ongoing for five years, and just recently resulted in the arrest of six individuals. Bringing responsible parties to justice is important, but the proverbial horse has already escaped the barn. Hopefully the Israeli government has implemented better data encyrption and data loss prevention tools to prevent such incidents from occurring in the first place in the future.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Anonymous Austria “Stumbles Upon” Data on 600,000

Wednesday, October 5th, 2011

The records of more than 600,000 individuals insured by Tyrolean Health Insurance (TGKK) have been compromised by the Austrian arm of the hacker collective known as Anonymous.

In this particular case, though, Anonymous Austria insists that it didn’t have to do any fancy hacking to get the data–it just “found it”. TGKK agrees because it is adamant that its network and servers were not breached.

A TGKK official stressed that no hackers have penetrated the insurer’s double firewall. But, if personal information on 600,000 customers has been exposed or compromised in any way, the double firewall and extensive security measures in place internally on TGKK servers offers little solace.

The fact remains that data entrusted to TGKK–that TGKK is obligated to protect and securely maintain–is now in the hands of someone else. In fact, it is actually a larger issue that the information was just “discovered” online somewhere. It would be better if Anonymous Austria had to demonstrate some degree of hacking prowess to acquire the data.

The question for TGKK is “what good is a double firewall and formidable server protection if you transmit or share unencrypted and unprotected data across the Internet?”

TGKK should be using tools to ensure that sensitive data doesn’t leave the network in the first place. If the data transmission is authorized and legitimate, TGKK should have a record of exactly who sent the data and where it went, and the data should be encrypted so it can’t be intercepted and accessed by unauthorized users.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 4 Comments »

There Comes a Point Where It’s Willful Neglect

Monday, September 26th, 2011

Benefits Administration Services (BAS) revealed that a CD containing sensitive information on about 4,000 U.S. Steel Mining retirees and their dependents is lost in the mail somewhere. The CD is supposedly password protected, but the data it contains is not encrypted.  

I think we’ve all been pretty tolerant of data breaches up to now. Perhaps too tolerant.

We always give the benefit of the doubt to companies and their employees: “They didn’t mean to expose my Social Security number”, or “I’m sure it was an accident that the medical center posted my health record on the Web”, or “Well, it’s not my bank’s fault that the postal system lost the disc with my data on it.”

But, those excuses won’t fly any more. Companies and employees do know better. It is a simple matter of having solid data handling and data protection policies, and the tools in place to enforce them. That worker probably didn’t intend to expose your Social Security number, but a data loss prevention (DLP) tool could have prevented the inadvertent exposure. It probably was an accident that your medical records were posted online, but a DLP gateway would prevent that information from leaving the network. Your bank can’t guarantee that the post office won’t lose a disc in transit, but they can have tools in place to automatically encrypt data so that it is protected from unauthorized access.

In the past, we could forgive these things. But, data breaches are in the news almost daily. There are multiple industry, state, and federal mandates in place governing the effective protection of personal and sensitive data. No company or employee can claim ignorance at this point.

No. Now it’s a matter of willful neglect. Employees know what they’re supposed to do, but they’d rather take shortcuts and ignore data protection policies. Companies know what they’re supposed to do, but they’d rather save a buck and gamble with your personal data instead. 

DLP tools are not expensive–especially in relation to a data breach. There is no excuse.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Free Credit Monitoring Is the Least You Can Do…Literally

Saturday, June 25th, 2011

Free credit monitoring is the de facto response in the case of a data breach incident. The organization that was entrusted with sensitive, personal information that can be used to steal the customers’ money or identity (or both) generally picks up the tab for a year of free credit monitoring to keep an eye on things and make sure no suspicious activity occurs. With the rate and scope of data breaches these days, probably just about every American with a bank account or credit card already has free credit monitoring from at least one data breach–but not Citigroup.

Following a data breach that exposed information from as many as 360,000 credit card accounts, Citigroup sent letters to the affected customers with some helpful tips to follow, but it stopped short of offering any actual assistance. That translates roughly to “hey, sorry we didn’t take better care of your data–sucks being you.”

It’s the least you can do Citigroup. No, really–it is literally the least you can do. It is the bare minimum you can offer loyal customers as some feeble apology for violating the trust of your customers and allowing sensitive data to be compromised or exposed. Honestly, the credit monitoring even seems like a paltry apology–but it is better than nothing, and it seems like the most logical course of action for the organization because there is no way of knowing up front which accounts will actually be impacted. Free credit monitoring at least lets customers know you care enough about having exposed their data to offer to keep a proactive eye on things rather than placing the burden on the customers to monitor for suspicious activity themselves.

Citigroup should be examining how the data breach occurred and putting tools and controls in place to ensure it doesn’t happen again. In the meantime, though, Citigroup should step up and offer free credit monitoring.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

The Hackers Are Making It Look Too Easy

Tuesday, June 14th, 2011

When Anonymous took on the forces opposing Wikileaks, it had a sort of “Robin Hood-esque”, fighting for the underdog feel to it.

When Epsilon, and RSA Security were breached it was easy to write the attacks off as random, standalone occurrences.

When Sony got attacked–repeatedly–it was again easy to dismiss it as hacktivism.

Things have gotten out of hand. Between LulzSec and Anonymous, sites are being breached on a virtually daily basis. These hacking collectives seem to operate with relative impunity and make breaking into networks and servers look like stealing candy from a baby.

While it easy to condemn the actions of these groups, the ease with which they are hacking networks begs the question of whether or not there is more that organizations can or should be doing to secure their networks and lock down their data. There is no such thing as an impenetrable network. Given enough time, skill, and resources, attackers can find a way into any network. But, these attacks don’t seem to be taking the kind of time, skill, or resources that should be required for networks and data that are properly protected.

I do not condone the actions of the hacking collectives, but I do think they deserve some credit for poignantly demonstrating on a daily basis just how frail most network defenses and data security measures are.

Tags: , , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Honda Canada Hack Exposes Data on 280,000 Customers

Friday, May 27th, 2011

Honda Canada is informing some 280,000 customers of a data breach that exposed their personal data. The actual attack was discovered a couple months ago, but Honda Canada had to first determine the scope and impact of the attack before it could begin notifying customers.

There is some good news as well, though–at least good news relative to having data on 280,000 customers compromised. According to the notice sent by Honda to customers, the data that was exposed did not include sensitive details such as Social Security numbers, driver’s license information, birth dates, phone numbers or credit card numbers.

Good news aside, the delay in reporting the attack highlights an issue faced by many companies–they lack the archiving and logging that would make a forensic investigation of an incident much easier. IT admins should have tools in place to A) monitor outbound traffic and block sensitive data from being compromised or exposed, and B) create an audit trail for data that is allowed out so that IT admins can quickly and easily identify which data may be impacted by a security incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Sony Still Under Seige from Hackers

Wednesday, May 25th, 2011

Wow. Sony really pissed somebody off. It seems like every day there is news of another Sony network falling victim to attack.

Just in the past couple days one attack yielded 2,000 customer records, while another exposed 8,500 customer accounts. Of course, those are pocket change compared with the estimated 77 million accounts exposed by the hack of the Sony Playstation Network.

What is the lesson here, though. Is it that Sony pissed off the wrong hackers and other companies should try to stay more low profile so they don’t invite a similar wrath? Or, is it that Sony should have better network and data security so that hackers can’t just waltz in and take sensitive data?

I am going to suggest it is somewhere in the middle. Obviously, it is best not to poke the proverbial hornets’ nest, but you can’t let the possibility of offending cyber criminals dictate how you conduct business. That said, it seems equally obvious that Sony’s network defense and data protection is trivial for hackers to circumvent.

I think there is some danger for other organizations in assuming that the problem stems purely from Sony making enemies of the hackers in question–as if, had Sony not done that the data would be safe. Don’t assume that just because your network is not under seige like Sony, that it is impervious, or that your data couldn’t suffer a similar fate.

On the contrary, use this as a learning expeirence. To the extent you can–given whatever details Sony might reveal–assume that your network or data were under a similar attack and try to predict what would happen. Perhaps you can gain some valuable knowledge from the experience and put it to good use before your data gets exposed as well.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 4 Comments »

The Most Important Protection for Your Backup Data Is Encryption

Friday, May 13th, 2011

A health provider in Oregon is learning the hard way that it is more important to protect the data on the backup media than it is to protect the backup media itself. Measures to protect backup tapes or external drives from theft or natural disaster have little affect on protecting the data when it tapes or drive are lost or stolen.

Dunes Family Health Care has issued a notice to about 16,000 current and former patients to let them know their personal information–including name, date of birth, clinical patient data, and in some cases Social Security numbers–has been compromised.

According to the notice, Dunes Family Health Care relied on a third-party to store and protect the backup media. They knew enough to A) backup their data, B) store it at an offsite location, and C) ensure that the backup media was protected against theft or natural disaster. The statement says, “The hard drive was stored in a locked, fire-protected building with limited access.” But, the drive was apparently stolen anyway, and Dunes Family Health Care forgot the most important step–encrypt the backup data itself so that it is safe even if the backup media is lost or stolen.

Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

Everything Is Bigger in Texas–Even Data Breaches

Tuesday, April 12th, 2011

Not to be outdone by the likes of Epsilon, Texas holds true to its popular tag line that “everything is bigger in Texas” with a larger than life data breach of its own. Heads rolled and people lost their jobs when it was discovered that sensitive information on more than 3.5 million people was left exposed to the public by the Texas Comptroller office.

The Epsilon data breach affected more individuals, but all that was compromised were email addresses, and perhaps the affiliation of an email address as a customer of a specific bank or retail establishment. The Texas breach, on the other hand, exposed much more useful data from an identity theft perspective: names, addresses, and Social Security numbers. In some cases, even dates of birth and driver’s license numbers were compromised.

Tsk, tsk Texas. To borrow a quote from Benjamin Franklin, “an ounce of prevention is worth a pound of cure.”

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

« Older Entries