Blog

Archive for the ‘Security Breaches & Data Loss Incidents’ Category

« Older Entries
Newer Entries »

BP Loses Personal Data from Oil Spill Claims

Wednesday, March 30th, 2011

BP has the Midas touch…well, the anti-Midas touch. The fabled King Midas from Greek mythology was granted the gift of being able to turn anything into gold with a simple touch. BP, on the other hand, has an innate ability to turn anything it comes into contact with to crap.

As if cutting costs on maintenance and safety for its Deepwater Horizon off-shore drilling rig leading to the biggest marine oil spill in the history of the petroleum industry and pollution the Gulf of Mexico with millions of barrels of oil wasn’t bad enough, now BP has lost a laptop containing personal information on thousands of claimants affected by that disaster.

The missing laptop contained names, addresses, phone numbers, dates of birth and Social Security numbers for the 13,000 plus who had filed claims for damages related to the oil spill. Now, BP can start fresh accepting claims for damages related to identity theft and the compromise of personal information.

A PCWorld article about the missing BP laptop sums up by pointing out a painfully simple, yet obviously ignored reality. “Although numerous encryption technologies are readily available these days to mitigate the risk, many companies still don’t use them.”

Tags: , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

No Excuse for Lightning to Strike Twice at Health Net

Tuesday, March 22nd, 2011

There is a saying something to the effect of “Fool me once, shame on you. Fool me twice, shame on me.” Well–shame on Health Net for getting hit with its second massive breach of customer data in as many years. Thanks to nine unecnrypted drives getting “lost” during a move to a new data center, Health Net has potentially exposed sensitive data on 1.9 million customers.

Ericka Chickowski notes in an article on Dark Reading that, “According to the most recent Ponemon Institute figures, the average data breach costs healthcare organizations $345 per records. Using those numbers, this breach could cost Health Net upward of $655 million when all is said and done.”

I get it. On some level I understand that security is an expense and requires effort, and that it is easy to assume that security incidents and data breaches only happen to other companies. It is easy to rationalize gambling with sensitive customer data and assume that having information lost or stolen is about as likely as getting struck by lightning.

But, there isn’t really any excuse for getting struck by lightning twice. Health Net should have learned its lesson the first time around and taken steps to proactively encrypt and protect data on server drives and backup media. A solution from Zecurion would have cost Health Net a fraction of a percent of that estimated $655 million in damages from the data breach–virtually nothing in the grand scheme of things.

Don’t assume that lightning can’t strike at your organization. Your data, and the personal information of your customers, deserve better protection than keeping your fingers crossed and hoping for the best.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Cord Blood Registry Learns Hard Lesson

Friday, March 4th, 2011

What happens when you leave a laptop and backup tapes holding unencrypted sensitive customer data in your car? Simple–someone breaks into aforementioned vehicle and steals them–leading to a data breach affecting 300,000 customers.

Cord Blood Registry, the world’s largest stem cell bank, learned this lesson the hard way. Hopefully, your data is already protected–especially on laptops and backup media. If not, hopefully you will learn from CBR’s mistake and won’t have to go through the painful process of learing the lesson the hard way as well.

The lax data protection is a combination of a false sense of security, combined with being oblivious to the risk, mixed with a healthy dose of feeling like the solution is too complex or costly. CBR should have had policies in place mandating that data on laptops and backup media be encrypted to prevent exposure or compromise. More importantly, it should have had tools in place that simplifiy and automate that process so that data protection isn’t reliant solely on an individual user’s ability to follow that policy.

Tags: , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Gigabytes of Data Gone in a Flash

Thursday, March 3rd, 2011

Have you ever lost a USB thumb drive? I have so many, I am not even sure I would notice if one was missing. I am positive that some have been misplaced over time. Thankfully, none of my USB thumb drives have any private or sensitive information I care about on them. Lost thumb drive? No sweat. The next tech conference or event I go to, I am bound to get three or four new ones.

For many companies, unfortunately, thumb drives also get lost–but contain sensitive data that is not properly protected. For example, an employee of the Henry Ford Health System in Michigan recently lost a USB flash drive containing unencrypted information on nearly 3,000 patients.

Apparently, Henry Ford Health System has a policy in place mandating that such data be encrypted. The article states, “The device is not encrypted as required to protect individual patient information.” It also says, “hospital officials said it’s still unclear how the flash drive was lost.”

I think this brings up two valuable points. First–it is only marginally relevant how the flash drive was lost. Maybe it was stolen. Maybe it got left in a pair of pants and washed with the laundry. Maybe it fell out of the employee’s pocket. The bottom line is that determining how the USB flash drive was lost is unlikely to yield any useful results to prevent a similar occurrence in the future.

Second, it demonstrates that an unenforced policy is about as effective as not having a policy in the first place. Whether the employee intentionally ignored the policy, or made an honest mistake, the fact is the policy wasn’t followed and now personal information on almost 3,000 patients is assumed exposed or compromised as a result.

Establishing a policy is an important step, but it is just a first step, not the end of the journey. IT admins need to have tools in place that can monitor systems and ensure the policy is followed and enforced as well.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Disgruntled Employee Exposes Client Data

Tuesday, February 15th, 2011

A former San Francisco city employee breached the confidential data of nearly 2,500 Medi-Cal recipients in an effort to make a case defending the “poor performance” that led to her dismissal.

The client data–which includes Social Security numbers, and other sensitive personal data, was sent to her own home PC, but was also exposed to her attorneys and union representatives.

Given the reason for breaching the data, and the limited audience with which the information was allegedly shared, it seems highly unlikely that any of the client information will be used for identity theft or any other nefarious purposes. However, that doesn’t change the fact that the data should not be exposed or compromised.

The fired worker in question ostensibly had a legitimate business purpose for having access to the data in question. The incident illustrates, though, that organizations need to have better monitoring and filters in place to control what happens with that data, or where that data is allowed to be sent or saved even when it is accessed by an authorized individual. Obviously, there will be some workers who need to have access to sensitive information, and organizations need tools to prevent that data from going any further or being shared with or exposed to unauthorized individuals.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Portable Data is Often an Easy Target

Thursday, February 10th, 2011

There are certainly benefits and advantages to being able to carry massive amounts of files and data in your pocket. However, the small size and gargantuan storage capacities also make portable media very easy to lose or misplace, and a prime target for criminals.

Whether it is a USB thumb drive, an external hard drive, a smartphone, a tablet, or some other device, it is not uncommon for people to have 32GB, 64GB, or even a terabyte of data on them. The data could be a music library or albums of personal photos, or it could be an entire patient or student database–complete with Social Security numbers, driver’s license numbers, home addresses, and other valuable information.

According to the Privacy Rights Clearinghouse, a non-profit organization dedicated to protecting consumer privacy and raising awareness of privacy concerns, there were 142 reported data breach incidents in 2010 involving portable storage devices. Those incidents led to the compromise or exposure of nearly 7 million records. That amounts to 7 million possible cases of identity theft or credit fraud, or 7 million violations of security and privacy mandates such as HIPAA or PCI DSS.

It is important that organizations limit the types of data that are allowed to be stored or transported on portable media, and that data that is stored on portable devices is properly protected so that–even if the device is lost or stolen–the data it contains will be safe.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

Is There a ‘Bradley Manning’ in Your Company?

Thursday, January 6th, 2011

The breach of classified government and military data to WikiLeaks by Pfc Bradley Manning illustrates the extent of the insider threat. The authorized users with legitimate access to confidential and sensitive data pose a much greater risk to that data than some ethereal malicious hacker somewhere out there on the Internet.

To combat such threats, the Obama administration is urging all federal agencies to step up efforts to identify and thwart would-be ‘Bradley Mannings’. A document–ironically leaked to NBC news–”calls on agencies to hire psychiatrists and sociologists to measure the “despondence or grumpiness” of federal employees in order to “gauge trustworthiness.” It also urges the use of polygraph machines, and the monitoring of computer activities and signs of “high occurrences of foreign travel.”"

The Obama administration should be commended for recognizing the risk posed by insider access to sensitive information, and the new directives and policies are well-intentioned, but they seem very much like the TSA security at airports–much ado about nothing in a smoke and mirrors effort to appear secure while not really reducing the threat any.

Rather than relying on agency and department heads to closely monitor employees’ professional and personal activities, and investing money in psychological exams and polygraph tests, federal agencies should simply contact us at Zecurion. What government and military agencies really need are tools like Zlock to monitor and restrict the use of removable media without impeding its functionality, and Zgate to filter confidential and sensitive information to prevent it from being leaked via email or social networking sites.

Mr. President–feel free to contact me at bradley@zecurion.com or give me a call at 281-352-8201 so we can talk further.

Tags: , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

US Military Response to WikiLeaks Breach Misguided

Monday, December 13th, 2010

In response to recent revelations on WikiLeaks, the United States military has banned all removable media–CDs, DVDs, USB thumb drives, etc.–from being used on the private military network for classified information under penatly of court-martial. The policy may slow down an information breach, but it won’t prevent it–and it gets in the way of legitimate, productive use of removable media at the same time.

The United States military has a little thing about classified information. It is not a fan of unauthorized exposure or compromise of classified information, so naturally the data breach incident with WikiLeaks has evoked a strong response. The problem is that the response goes too far in one respect–impeding the legitimate use of removable media to transfer data between machines–and not nearly far enough in others–failing to actually meet the goal of preventing future exposure of classified information.

Sharing classified information with unauthorized individuals is already against military rules. The threat of court-martial for willingly disseminating classified data did not stop the soldier from doing so, and I don’t expect that also making it against the rules to use a USB thumb drive would have slowed him down either. If the soldier had intent to breach protocol and share classified information, a policy against it will have little effect.

What the military–and any other organization with a need to protect sensitive data–needs is a clearly-defined policy governing the legitimate use of removable media, and tools in place–like Zecurion Zlock–to let IT admins monitor and control the flow of sensitive information.

Tags: , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

Keep An Eye On Sensitive Information

Friday, October 15th, 2010

Every little tidbit of information has value…to someone. A name, address, or birth date are good. A driver’s license or Social Security number is better. A bank or credit card account number is a jackpot. But, any one of those bits of information–and any combination thereof–can be put to use for identity theft or cyber fraud.

That is why events like the Accomack County worker’s laptop that was recently stolen while the employee was vacationing in Las Vegas should just not happen. It’s not that laptops shouldn’t get lost or stolen. It would be nice, but it’s impractical to expect. It’s not even necessarily that sensitive data like the names and Social Security numbers of 35,000 Accomack County taxpayers shouldn’t have been on the laptop when it was stolen. The laptop is used to conduct county business, and assuming this employee had a valid business reason for working with the data, then why shouldn’t it be on the laptop?

What shouldn’t happen is that sensitive information such as this should not be able to be transferred or stored without the IT admin having a record of when and where the data went, and the data should be encrypted to protect it against unauthorized access even in the event that the laptop is lost or stolen. People have to work with their laptops–that is why they have them. And, laptops will continue to get lost and stolen. But, with the right policies and tools in place, a lost or stolen laptop does not have to result in compromising sensitive data.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

« Older Entries
Newer Entries »