Security Breaches & Data Loss Incidents

Archive for the ‘Security Breaches & Data Loss Incidents’ Category

An Unenforced Policy is the Same as No Policy at All

Friday, June 4th, 2010

The West Berkshire Council has just learned this lesson the hard way. According to a recent report of lost data “West Berkshire introduced encrypted memory sticks in 2006. But following an investigation by the Information Commissioner’s Office (ICO), it was also discovered that council employees were still using unencrypted memory sticks.”

In a perfect world, simply stating that data should only be stored on approved USB devices, and that all data on portable storage media must be encrypted would be good enough. In the real world, though, simply stating it is not good enough. Stating a policy–without any means of monitoring or enforcing compliance with it–is simply paying lip service to data protection and gambling that a data breach incident will never occur.

West Berkshire Council lost that gamble when an unencrypted USB memory stick containing sensitive information relating to the ethnicity, and mental and physical health of children was lost. The report also contains this quote “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”

The best option to ensure correct safeguards are in place is Zlock. Zlock allows IT administrators to restrict users from writing to data to unapproved portable storage media. Access can be locked down to devices from a particular manufacturer, or of a particular type. A specific USB memory stick can be associated with each individual user, and all other memory sticks can be blocked.

In the case of West Berkshire Council, Zlock would have been instrumental in ensuring that users relied on the encrypted USB memory sticks they were issued four years ago, rather than storing data on the now lost unencrypted USB memory stick.

Tags: data breach, sensitive data, USB memory stick, Zlock
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Sometimes You Wish You Could “Unsend” that Email

Thursday, June 3rd, 2010

Have you ever hit “Send” on an email, and in that fraction of an instant had an epiphany that you accidentally hit “Reply to All” or addressed the email to the wrong party? Oops.

While some email programs have a feature that allows for a message to be recalled, that functionality usually relies on two things- 1) the recipient must be on the same mail server–in other words someone in your same organization, and 2) the recipient must not have already received and opened the errant email message. Typically, what happens is that someone tries to recall a message and the errant recipient receives a notification that the sender would like to recall the email message, which just piques the recipient’s curiosity and draws attention to the fact that there is some reason the sender does not want you to see the message. Its not a very good system.

All of that is a long way of getting around to a recent data breach incident that occurred in Ireland. An error occurred in merging account data into emails which resulted in the wrong account information being sent to various parties and compromising the data. Since the account data merging was an automated process, it seems fair to assume that the sender did not actually have an opportunity to review and approve each email prior to transmission. It seems that the Tralee Town Council was not aware of the problem until it was too late.

One way to ensure that sensitive or confidential data isn’t accidentally emailed out–and maybe prevent that “oops” feeling one gets when realizing sensitive information was emailed to the wrong party–is with Zgate. Zgate analyzes the contents of all fields in the email, including the body and file attachments, ensuring that sensitive information remains secure.

Tags: bank account, compromise, data breach, email
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

How Many Stolen Laptops Does It Take?

Thursday, May 27th, 2010

You may or may not realize this, but one of the primary advantages of notebook and netbook computers is their portability. Being able to computer from hotel lobbies, corner coffee shops, and the random McDonald’s certainly has its advantages, but I’ll let you in on a little secret–thieves like the small size, light weight, and portability of laptops too.

Just in the past couple weeks there have been two incidents of laptops from medical centers being lost or stolen. One from the Oconee Physician Practices contained name, date of birth, gender, height and weight, blood pressure and some other medical data connected with the EKG from more than 600 patients. Another laptop from Loma Linda University Medical Center had patient’s name, medical record number, diagnosis, surgery date, and the type of procedure for more than 500 patients.

How many laptops have to be lost or stolen before IT administrators and executive management realize that data has to be proactively encrypted and protected? The investment in the right tools to do the job–like Zecurion Zserver Suite–is significantly less than the cost–financially and to the company’s reputation–from being responsible for compromising the sensitive and confidential data of customers or employees.

Tags: compromise, data breach, encryption, laptop, notebook
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

Friday, April 30th, 2010

On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: Bowling Green, compromise, data breach, data protection, Kentucky, Medical Center, patient data
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

UK Police Officer Emails Sensitive Information

Monday, April 19th, 2010

Oops. Have you ever hit SEND just as you realize that you are sending an email to the wrong person or group? Well, imagine how one Gwent Police officer felt when he accidentally forwarded an unprotected Excel spreadsheet containing sensitive information on over 10,000 people…to a journalist.

The officer, now facing a gross misconduct investigation and possible termination, sent an Excel file attachment containing names, dates of birth, and detailed results of criminal background investigations on 10,006 individuals dating back to 2001.

It is up to the Gwent Police to determine whether it was negligence, incompetence, or simple human error that led to this data breach. But, incidents like this are preventable if you remove the human error factor from the equation. Zecurion Zgate monitors inbound and outbound email for sensitive information and ensures that private and confidential data is handled according to established rules and policies and that sensitive data is not transmitted unencrypted.

Tags: CRB, Criminal Records Bureau, data breach, email, Gwent Police
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Portable Hard Drive Theft Puts Client Data at Risk

Monday, April 19th, 2010

A portable hard drive containing unencrypted data was stolen from the car of an LPL Financial representative, putting the names, addresses, birth dates, and Social Security numbers of an undisclosed number of clients at risk.

In LPL Financial’s defense, there is an existing branch security policy requiring that all portable hard drives or laptops storing client data must be encrypted and accessible only by use of a passcode or key. Apparently, that policy was not obeyed in this case.

There are forty-five states with some sort of disclosure law requiring data breaches be reported, but only two states–Massachusetts and Nevada–actually require that personal client data be encrypted.

It is admirable that LPL Financial has an established policy mandating that data be encrypted, but as this incident illustrates policies can be broken. LPL Financial, and other companies serious about protecting data, should have a solution in place that doesn’t rely on human intervention to function. Sensitive data should only be allowed to be written to drives with the appropriate encryption mechanisms in place.

Tags: data breach, data theft, LPL Financial, portable hard drive, unencrypted data
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Stop Trying to Stay a Step Ahead of the Bad Guys

Tuesday, March 23rd, 2010

Face it–its a long race, with no end in sight, that you have little hope of winning.

Let’s back up a step (pun intended) for some context. The Sunridge Medical Clinic at the University of Calgary was recently victimized by malware which compromised a server–potentially exposing sensitive personal information on 4,700 patients.

Wayne Wood, a spokesman for the Office of the Information and Privacy Commissioner of Alberta, told the Calgary Sun “Every once in awhile someone figures out how to get past the firewall,” adding “It seems the bad guys are always two steps ahead in terms of technology.”

Now, in this case it doesn’t necessarily seem like the bad guys were two steps ahead. The compromised server was infected by two different viruses and staff discovered that the antimalware protection on the system was not up to date. So, really the problem is that the security on the server was two steps behind–not that the attackers were two steps ahead.

That said, why bother engaging in a foot race with the bad guys? There are certainly reasons that you will still want to have standard security measures in place: antimalware, firewall, etc. But, encrypting the data stored on the server will ensure that it can not be accessed or breached even if the server it resides on is compromised. With the proper tools in place, a server breach does not have to be a data breach and you can stop losing sleep over whether you are a step ahead–or two steps behind–the bad guys.

Posted in Security Breaches & Data Loss Incidents | No Comments »

Arkansas National Guard Loses Unencrypted Drive

Wednesday, March 10th, 2010

The Arkansas National Guard lost an external hard drive containing unencrypted data. The data on the drive included the Arkansas National Guard personnel file dating back to 1991–complete with names, social security numbers and other personal information which could put the affected Soldiers at risk for identity theft.

Thus far, there is no evidence to suggest foul play. The Guard remains hopeful that the drive is simply misplaced. However, the Guard is making every effort to identify those affected and alert them of the potential data risk.

That is good news–assuming that the Guard is correct and the data isn’t in the hands of anyone with malicious intent. But, what if they’re wrong? Or, what if they’re right that the drive was innocently misplaced, but someone with less-than-honorable intentions locates it before they do?

The fact is that the Arkansas National Guard–and any other organization storing sensitive or confidential information–could have avoided any potential breach of the data by encrypting it. A lost drive doesn’t have to put data at risk if the data it contains is properly protected.

Zecurion Zserver Suite protects data at rest. Zserver Storage’s hard disk encryption functions transparently, ensuring the safety and security of data even if the storage media device is removed–as is often the case for external hard drives. None of the data, including the file allocation tables or any Zserver Storage supporting files, are accessible without authorized encryption keys.

Zserver Storage encrypts most types of data storage hardware and devices including IDE and SCSI hard drives, RAID mirrored drives, CD/DVD optical disks and magnetic tapes, making Zserver Storage a viable, cost-effective alternative to other encrypted storage hardware solutions such as network storage appliances.

The bottom line is that it is unreasonable to expect users not to store sensitive or confidential data on drives–whether internal or external. It should be assumed that drives will contain such information, and organizations should proactively encrypt the data using a product like Zserver Suite to ensure it is protected from unauthorized access no matter where the drive ends up.

Tags: Arkansas National Guard, birth date, compromise, data breach, lost hard drive, social security number, Zserver Suite
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Ceridian Hack Exposes Data on 27,000 Employees

Tuesday, February 9th, 2010

Ceridian, a provider of benefits services for thousands of client companies, had its payroll processing division hacked, exposing names, Social Security numbers, birth dates, and bank accounts of 27,000 employees from 1,900 companies nationwide.

The attack apparently occurred December 22 and/or 23 of 2009, but affected individuals were not notified until late January. When asked why it took so long to let employees know their data was compromised, Ceridian spokesman Keith Peterson said “We took immediate preventive steps to ensure no further incident of this type would occur.”

Peterson added ”While the total number of employees affected is small, in our minds one is too many, and we are handling this incident according to our established protocol.”

27,000 may not be a large number relative to the total number of employees managed by Ceridian payroll, but to call the number “small” and wait more than a month to alert affected individuals seems to be a rather cavalier response. Kudos to Ceridian for being fortunate enough to not have exposed 270,000, or 2.7 million employees’ data, but to the 27,000 who are affected it is a matter of grave concern and utmost urgency.

Its nice that Ceridian took “immediate preventive measures”, but it should also disclose what measures were in place, how they were circumvented, and what additional security controls were implemented to mitigate the attack. Ceridian falls under a variety of compliance mandates and it would be interesting to know whether the attack breached otherwise compliant security controls, or if Ceridian dropped the ball somewhere in implementing security and protecting data.

Whether Ceridian’s network and servers were compliant with all applicable security mandates at the time of the breach or not, Ceridian could have ensured that the employee data would not be compromised or exposed by implementing an encryption solution that protects all stored data at rest. An attacker may circumvent controls and breach the server, but a server breach does not have to be a data breach if the right protection is in place for the data.

Tags: Ceridian, data breach, employee data, expose, payroll, sensitive information
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

State Laws Encourage Backup Encryption

Sunday, January 24th, 2010

I heard a rumor recently that Iron Mountain, a leading provider of offsite storage for backup data, was implementing a new policy that all customer data must be encrypted.

It makes sense. Unencrypted backup media seems to be an increasingly common source of data breaches. Chase Bank lost data on an unencrypted backup tape. Information Vaulting Services lost a backup tape from the state of Arkansas containing unencrypted personal information on over 800,000 individuals. A third-party storage vendor lost an unencrypted backup tape from Bank of New York Mellon with sensitive information from 4.5 million customers. The list goes on, and on, and on…..and on.

While the organization entrusted with the data–Chase Bank, the state of Arkansas, or Bank of New York Mellon in the cases cited above–ultimately must pay the price for the data breach, both in terms of the broken trust with customers and damaged reputation, as well as any fines, penalties, and the cost of notifying and protecting customers, the fact is that these losses also reflect poorly on the third-party organizations responsible for securely storing the backup media.

Organizations like Iron Mountain that provide offsite storage have no way of knowing what data is contained on the media it stores for its customers, nor whether or not that data is encrypted or protected in any way. A tape is a tape is a tape and they are all handled and treated the same. Granted, a company that exists to provide secure offsite storage for backup data should not lose its customer’s backup media, but it shouldn’t bear any additional responsibility for personal or sensitive information being compromised as a result.

It turns out that the rumor I heard was incorrect. I spoke with Iron Mountain and I was told that it does not require customers to encrypt backup data–although it does believe its a good idea and highly recommends that customers consider doing so.

Apparently, the rumor stems, at least in part, from laws enacted in Nevada and Massachusetts. Those state laws require that personal information that could lead to identity theft be protected–even on backup media. Iron Mountain may not require it, but Nevada and Massachusetts do require that organizations in those states, or that conduct business in those states and/or result in personal information from citizens of those states being retained, encrypt information on backup media.

Suffice it to say, its just a good idea. Data at rest should be encrypted whether it is stored on servers on your internal network, or backup media stored offsite with a third-party.

Tags: backup data, backup tape, encryption, identity theft, Iron Mountain, Massachusetts, Nevada, Zserver Backup, Zserver Storage
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

Blog

Archive for the ‘Security Breaches & Data Loss Incidents’ Category

An Unenforced Policy is the Same as No Policy at All

Sometimes You Wish You Could “Unsend” that Email

How Many Stolen Laptops Does It Take?

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

UK Police Officer Emails Sensitive Information

Portable Hard Drive Theft Puts Client Data at Risk

Stop Trying to Stay a Step Ahead of the Bad Guys

Ceridian Hack Exposes Data on 27,000 Employees

State Laws Encourage Backup Encryption

Categories

Unknown Feed

Pages

Archives

Twitter Updates