Blog

Posts Tagged ‘data breach’

« Older Entries

Zeus Compromises Student Data at University of Oklahoma

Monday, July 12th, 2010

The University of Oklahoma has revealed that a laptop compromised by a variant of the Zeus botnet may have exposed or compromised sensitive information on OU students–including Social Security numbers. There are no further details yet available regarding the scope of the potential compromise. According to this blurb from KOCO.com, though, “OU officials said they are not aware of any instances of identity theft or similar problems as a result of the breach, but they said they can’t be certain that student information was not compromised.

One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Tufts University Alumni Data Exposed by Malware

Monday, June 14th, 2010

What is it about networks and data at universities and medical establishments? It seems like almost every breach of sensitive or personal data is related to these two types of institutions. Are they targeted more often than other types of networks, or do they just have weaker security and poorer data protection mechanisms in place?

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Penn State Server Compromised by Botnet

Wednesday, June 9th, 2010

Penn State University has sent out data breach notification letters to nearly 16,000 individuals to let them know that a computer in its Outreach Market Research and Data office was found to be actively communicating with a malicious botnet and that personal information including Social Security numbers may have been compromised.

Penn State has not used SSNs as a student identifier for 5 years, however an archived copy of a legacy database apparently still existed on the compromised server.

A Penn State spokesperson explained that “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports. When a machine is compromised, it must be re-installed from known ‘good’ media before it’s allowed back on the network, since it’s not possible to truly clean a machine that’s been fully compromised.”

All of those are excellent security controls and fit nicely with established security best practices. However, the data itself should be encrypted so that if and when an attacker figures out how to circumvent those defenses the data itself will still be impervious to unauthorized access.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

An Unenforced Policy is the Same as No Policy at All

Friday, June 4th, 2010

The West Berkshire Council has just learned this lesson the hard way. According to a recent report of lost data “West Berkshire introduced encrypted memory sticks in 2006. But following an investigation by the Information Commissioner’s Office (ICO), it was also discovered that council employees were still using unencrypted memory sticks.”

In a perfect world, simply stating that data should only be stored on approved USB devices, and that all data on portable storage media must be encrypted would be good enough. In the real world, though, simply stating it is not good enough. Stating a policy–without any means of monitoring or enforcing compliance with it–is simply paying lip service to data protection and gambling that a data breach incident will never occur.

West Berkshire Council lost that gamble when an unencrypted USB memory stick containing sensitive information relating to the ethnicity, and mental and physical health of children was lost. The report also contains this quote “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”

The best option to ensure correct safeguards are in place is Zlock. Zlock allows IT administrators to restrict users from writing to data to unapproved portable storage media. Access can be locked down to devices from a particular manufacturer, or of a particular type. A specific USB memory stick can be associated with each individual user, and all other memory sticks can be blocked.

In the case of West Berkshire Council, Zlock would have been instrumental in ensuring  that users relied on the encrypted USB memory sticks they were issued four years ago, rather than storing data on the now lost unencrypted USB memory stick.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

How Many Stolen Laptops Does It Take?

Thursday, May 27th, 2010

You may or may not realize this, but one of the primary advantages of notebook and netbook computers is their portability. Being able to computer from hotel lobbies, corner coffee shops, and the random McDonald’s certainly has its advantages, but I’ll let you in on a little secret–thieves like the small size, light weight, and portability of laptops too.

Just in the past couple weeks there have been two incidents of laptops from medical centers being lost or stolen. One from the Oconee Physician Practices contained name, date of birth, gender, height and weight, blood pressure and some other medical data connected with the EKG from more than 600 patients. Another laptop from Loma Linda University Medical Center had patient’s name, medical record number, diagnosis, surgery date, and the type of procedure for more than 500 patients.

How many laptops have to be lost or stolen before IT administrators and executive management realize that data has to be proactively encrypted and protected? The investment in the right tools to do the job–like Zecurion Zserver Suite–is significantly less than the cost–financially and to the company’s reputation–from being responsible for compromising the sensitive and confidential data of customers or employees.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

$6.5 Million is a Lot to Gamble

Wednesday, May 12th, 2010

Section 13402(e)(4) of the HITECH Act, requires that the Secretary of Health and Human Services post a list of breaches of unsecured protected health information affecting 500 or more individuals.  

Since HHS began tracking and posting these breaches in late September of 2009, there have been 77 such incidents, impacting a total of 2.4 million individuals. That is an average of more than 30,000 breached records containing personal information for each incident. A 2009 study by the Ponemon Institute found that the average cost of a data breach in the United States is $208 per compromised record, making the average cost of these 77 data breaches over $6.5 million.

Some of the data breaches were the result of physical data–forms and paperwork–being thrown into a dumpster. But, nearly 75 percent of the incidents involved unencrypted data stored on servers, backup tapes, or portable storage media.

Applying the averages–here is the bottom line: 56 out of 77 incidents could have been prevented if those organizations used Zecurion Zserver Suite to encrypt and protect data. That means that nearly 1.8 million of the 2.4 million affected individuals would not have had their personal data compromised, and that thesr organizations could have avoided a combined $364 million in costs to clean up after the breach.

The investment in proactively protecting data is significantly less than the cost of reacting to a data breach incident, and it doesn’t have the long-term negative impact to the organization’s credibility and reputation.

Tags: , , ,
Posted in Data Storage Security | 2 Comments »

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

Friday, April 30th, 2010

On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

UK Police Officer Emails Sensitive Information

Monday, April 19th, 2010

Oops. Have you ever hit SEND just as you realize that you are sending an email to the wrong person or group? Well, imagine how one Gwent Police officer felt when he accidentally forwarded an unprotected Excel spreadsheet containing sensitive information on over 10,000 people…to a journalist.

The officer, now facing a gross misconduct investigation and possible termination, sent an Excel file attachment containing names, dates of birth, and detailed results of criminal background investigations on 10,006 individuals dating back to 2001.

It is up to the Gwent Police to determine whether it was negligence, incompetence, or simple human error that led to this data breach. But, incidents like this are preventable if you remove the human error factor from the equation. Zecurion Zgate monitors inbound and outbound email for sensitive information and ensures that private and confidential data is handled according to established rules and policies and that sensitive data is not transmitted unencrypted.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Portable Hard Drive Theft Puts Client Data at Risk

Monday, April 19th, 2010

A portable hard drive containing unencrypted data was stolen from the car of an LPL Financial representative, putting the names, addresses, birth dates, and Social Security numbers of an undisclosed number of clients at risk.

In LPL Financial’s defense, there is an existing branch security policy requiring that all portable hard drives or laptops storing client data must be encrypted and accessible only by use of a passcode or key. Apparently, that policy was not obeyed in this case.

There are forty-five states with some sort of disclosure law requiring data breaches be reported, but only two states–Massachusetts and Nevada–actually require that personal client data be encrypted.

It is admirable that LPL Financial has an established policy mandating that data be encrypted, but as this incident illustrates policies can be broken. LPL Financial, and other companies serious about protecting data, should have a solution in place that doesn’t rely on human intervention to function. Sensitive data should only be allowed to be written to drives with the appropriate encryption mechanisms in place.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

« Older Entries