Blog

Posts Tagged ‘compromise’

« Older Entries

Rice Faculty and Student Data at Risk

Saturday, October 2nd, 2010

Personal data on more than 7,000 Rice faculty, students, staff, and retirees was contained on a stolen storage device. The data was apparently not encrypted or protected, which means it may very well be exposed to or compromised by the thief, but there is no indication so far that the data has been used so far.

A report from Rice News and Media explains, “Late last month a device containing information for about 7,250 Rice faculty and staff, along with some students and retirees, was stolen. Over the past week administrators discovered that one of the files contained a list of Rice employees and students on the Rice payroll as of January 2010 and included information such as names, addresses, birth dates, employee identification numbers, salaries and emergency contacts, but no Social Security numbers. Another file included Social Security numbers, mostly for Rice employees.”

This is another example underscoring the need for data at rest to be encrypted–particularly sensitive data that can lead to identity theft if exposed to unauthorized users. Technology is becoming increasingly more portable and mobile, which–by definition–also makes it easier to lose or steal. There is little that any organization can do to eliminate the possibility of devices being lost or stolen, so instead organizations should be focused on tools and protection that ensure that the data contained on those devices can not be accessed even if the device is lost or stolen.

Tags: , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Stolen Laptop Puts Patient Data at Risk

Tuesday, September 28th, 2010

A laptop belonging to an employee of St. Vincent Hospital in Indianapolis was stolen from the worker’s residence. That laptop contained medical history details and Social Security numbers of 1,200 hospital patients–and of course the data is not encrypted or protected in any way.

Rex McKinney, St. Vincent Hospital privacy officer stated, “We are committed to protecting the confidentiality and privacy of our patients and will continue to implement administrative, technical and physical safeguards against unauthorized disclosures of protected health information.”

That is all well and good, but in order to “continue” implementing safeguards you would have to have implemented some in the first place. The article also states that the hospital is taking “precautionary steps to avoid future incidents.”

The thing is that implementing controls in response to an incident after data has already been compromised is not “precautionary”–it’s reactionary. HIPAA (Health Insurance Portability and Accountability Act) compliance requirements already mandate that the data should have been protected to begin with. Putting basic protection in after the fact is hardly heroic or praiseworthy–it’s just public relations damage control.

When will organizations–particularly medical and educational institutions–learn that implementing solutions like Zecurion’s Zserver Storage is a simple, cost-effective solution that can prevent incidents like these and save the organization from facing the legal, financial, and reputation consequences of compromising sensitive data?

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Zeus Compromises Student Data at University of Oklahoma

Monday, July 12th, 2010

The University of Oklahoma has revealed that a laptop compromised by a variant of the Zeus botnet may have exposed or compromised sensitive information on OU students–including Social Security numbers. There are no further details yet available regarding the scope of the potential compromise. According to this blurb from KOCO.com, though, “OU officials said they are not aware of any instances of identity theft or similar problems as a result of the breach, but they said they can’t be certain that student information was not compromised.

One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

How Many Stolen Laptops Does It Take?

Thursday, May 27th, 2010

You may or may not realize this, but one of the primary advantages of notebook and netbook computers is their portability. Being able to computer from hotel lobbies, corner coffee shops, and the random McDonald’s certainly has its advantages, but I’ll let you in on a little secret–thieves like the small size, light weight, and portability of laptops too.

Just in the past couple weeks there have been two incidents of laptops from medical centers being lost or stolen. One from the Oconee Physician Practices contained name, date of birth, gender, height and weight, blood pressure and some other medical data connected with the EKG from more than 600 patients. Another laptop from Loma Linda University Medical Center had patient’s name, medical record number, diagnosis, surgery date, and the type of procedure for more than 500 patients.

How many laptops have to be lost or stolen before IT administrators and executive management realize that data has to be proactively encrypted and protected? The investment in the right tools to do the job–like Zecurion Zserver Suite–is significantly less than the cost–financially and to the company’s reputation–from being responsible for compromising the sensitive and confidential data of customers or employees.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

Friday, April 30th, 2010

On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Arkansas National Guard Loses Unencrypted Drive

Wednesday, March 10th, 2010

The Arkansas National Guard lost an external hard drive containing unencrypted data. The data on the drive included the Arkansas National Guard personnel file dating back to 1991–complete with names, social security numbers and other personal information which could put the affected Soldiers at risk for identity theft.

Thus far, there is no evidence to suggest foul play. The Guard remains hopeful that the drive is simply misplaced. However, the Guard is making every effort to identify those affected and alert them of the potential data risk.

That is good news–assuming that the Guard is correct and the data isn’t in the hands of anyone with malicious intent. But, what if they’re wrong? Or, what if they’re right that the drive was innocently misplaced, but someone with less-than-honorable intentions locates it before they do?

The fact is that the Arkansas National Guard–and any other organization storing sensitive or confidential information–could have avoided any potential breach of the data by encrypting it. A lost drive doesn’t have to put data at risk if the data it contains is properly protected.

Zecurion Zserver Suite protects data at rest. Zserver Storage’s hard disk encryption functions transparently, ensuring the safety and security of data even if the storage media device is removed–as is often the case for external hard drives. None of the data, including the file allocation tables or any Zserver Storage supporting files, are accessible without authorized encryption keys.

Zserver Storage encrypts most types of data storage hardware and devices including IDE and SCSI hard drives, RAID mirrored drives, CD/DVD optical disks and magnetic tapes, making Zserver Storage a viable, cost-effective alternative to other encrypted storage hardware solutions such as network storage appliances.

The bottom line is that it is unreasonable to expect users not to store sensitive or confidential data on drives–whether internal or external. It should be assumed that drives will contain such information, and organizations should proactively encrypt the data using a product like Zserver Suite to ensure it is protected from unauthorized access no matter where the drive ends up.

Tags: , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

North Carolina Server Breach Exposes Sensitive Data

Sunday, December 20th, 2009

More than 50,000 users had sensitive information, including drivers license and Social Security numbers, exposed during a server breach in August. The breach of a server at the community college System Office in Raleigh occurred on August 23rd, and officials were aware as of August 24th. An investigation was allegedly begun immediately, but news of the breach was just made public this week–almost four months later.

The official press release regarding the incident explains “The NC Community College System Office began notifying nearly 51,000 library users from 25 community colleges that a security breach occurred on a computer server containing their personal information, including Social Security or driver’s license numbers. All reviews and investigations indicate that no personal information was accessed by the intruder. However, library users with such information on the server will soon begin receiving letters explaining the attack, steps being taken to prevent future breaches and actions they may take to protect their credit and to ensure protection from identify theft.”

The press release describes the attack as a succesful password cracking attempt via the Internet. There are some other questions to answer regarding password complexity and/or how an attacker was able to conduct a password cracking remotely from the Internet, but had the data on the server been encrypted it would have been protected even if the actual server security was breached.  

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Patient Data Leaked to Local Attorneys by Hospital Worker

Sunday, December 13th, 2009

The University Medical Center (UMC) in Las Vegas is in hot water after it was discovered that at least one hospital employee has been leaking personal information of accident victims to local attorneys so that the lawyers could solicit the patients as clients. The breach of patient data violates federal HIPAA (Health Insurance Portability and Accountability Act) guidelines and could result in fines up to $1.5 million.

According to an article from the Las Vegas Review-Journal, the potential HIPAA fines are divided into four categories with a total maximum of $1.5 million:

  • If the hospital shows it didn’t know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
  • If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
  • If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
  • If it takes longer than 30 days, the fines start at $50,000.

The hospital received fairly high marks from a county auditor for HIPAA compliance, but with a few notable flaws. The auditor identified issues with patient records being left unattended, outgoing email with sensitive information being transmitted without encryption, and no record of what information was disclosed to third-parties in some cases. Any of these data protection weaknesses could come back to haunt UMC both with the federal investigation and fines, as well as with any subsequent civil suits arising from the breach of confidentiality.

Health and medical institutions like UMC would benefit from using tools to enforce data security policies and monitor and restrict the data that is sent to networked printers or saved to removable media, and software that can scan and filter outbound email to ensure sensitive information is not transmitted unencrypted.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Former Insurance Agent Accused of Breaching Customer Data

Tuesday, December 8th, 2009

Farmers Insurance in Nashville is investigating a breach and notifying customers that their data was compromised. The incident seems to be a result of a combination of weak server security and a disgruntled ex-employee.

An individual allegedly contracted to ‘hack’ into Farmers by a former agent “said a few months ago he discovered a flaw in the agent page for Farmers Insurance that allows someone to extract all the information from its database, such as insurance policies, names, addresses and Social Security numbers.”

Obviously, Farmers should have had better security in place on the Web server in the first place. In addition, though, the data stored on the server should be protected to ensure it can’t be compromised even if an attacker manages to gain access to the server itself.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

« Older Entries