Posts Tagged ‘data breach’
Saturday, March 12th, 2011
Does your IT budget have $7 million or so to spare? I think I can say with absolute certainty that no organization–regardless of size and revenue–has an IT budget with an extra $7.2 million of unallocated money.
The follow up question to that rhetorical lead-in is “why are you gambling with $7.2 million you don’t have?”
A new survey from the Ponemon Institute–sponsored by Symantec–found that the average cost of a data breach for a company in the United States has increased to $7.2 million. That breaks down to an average of $214 per individual exposed or compromised data record. The kicker is that the survey also reveals that the number one cause of data breaches is negligence.
Don’t gamble $7.2 million you don’t have. Don’t let you organization be negligent. Invest proactively in the tools your organization needs to prevent sensitive information from leaving your network and make sure your company isn’t tomorrow’s data breach headline.
It will cost you $7.2 million to react to a data breach incident after it’s too late. It will cost you a fraction of a percent of that $7.2 million to prevent the data breach in the first place.
Tags: $7.2 million, cost of average data breach, data breach, data loss prevention, data protection, DLP, Ponemon Institute
Posted in Data Storage Security | 3 Comments »
Friday, March 4th, 2011
What happens when you leave a laptop and backup tapes holding unencrypted sensitive customer data in your car? Simple–someone breaks into aforementioned vehicle and steals them–leading to a data breach affecting 300,000 customers.
Cord Blood Registry, the world’s largest stem cell bank, learned this lesson the hard way. Hopefully, your data is already protected–especially on laptops and backup media. If not, hopefully you will learn from CBR’s mistake and won’t have to go through the painful process of learing the lesson the hard way as well.
The lax data protection is a combination of a false sense of security, combined with being oblivious to the risk, mixed with a healthy dose of feeling like the solution is too complex or costly. CBR should have had policies in place mandating that data on laptops and backup media be encrypted to prevent exposure or compromise. More importantly, it should have had tools in place that simplifiy and automate that process so that data protection isn’t reliant solely on an individual user’s ability to follow that policy.
Tags: CBR, Cord Blood Registry, data breach, patient data, personal data, Zserver Backup, Zserver Storage
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »
Tuesday, February 15th, 2011
A former San Francisco city employee breached the confidential data of nearly 2,500 Medi-Cal recipients in an effort to make a case defending the “poor performance” that led to her dismissal.
The client data–which includes Social Security numbers, and other sensitive personal data, was sent to her own home PC, but was also exposed to her attorneys and union representatives.
Given the reason for breaching the data, and the limited audience with which the information was allegedly shared, it seems highly unlikely that any of the client information will be used for identity theft or any other nefarious purposes. However, that doesn’t change the fact that the data should not be exposed or compromised.
The fired worker in question ostensibly had a legitimate business purpose for having access to the data in question. The incident illustrates, though, that organizations need to have better monitoring and filters in place to control what happens with that data, or where that data is allowed to be sent or saved even when it is accessed by an authorized individual. Obviously, there will be some workers who need to have access to sensitive information, and organizations need tools to prevent that data from going any further or being shared with or exposed to unauthorized individuals.
Tags: data breach, disgruntled employee, personal information, Social Security numbers
Posted in Security Breaches & Data Loss Incidents | 1 Comment »
Thursday, February 10th, 2011
There are certainly benefits and advantages to being able to carry massive amounts of files and data in your pocket. However, the small size and gargantuan storage capacities also make portable media very easy to lose or misplace, and a prime target for criminals.
Whether it is a USB thumb drive, an external hard drive, a smartphone, a tablet, or some other device, it is not uncommon for people to have 32GB, 64GB, or even a terabyte of data on them. The data could be a music library or albums of personal photos, or it could be an entire patient or student database–complete with Social Security numbers, driver’s license numbers, home addresses, and other valuable information.
According to the Privacy Rights Clearinghouse, a non-profit organization dedicated to protecting consumer privacy and raising awareness of privacy concerns, there were 142 reported data breach incidents in 2010 involving portable storage devices. Those incidents led to the compromise or exposure of nearly 7 million records. That amounts to 7 million possible cases of identity theft or credit fraud, or 7 million violations of security and privacy mandates such as HIPAA or PCI DSS.
It is important that organizations limit the types of data that are allowed to be stored or transported on portable media, and that data that is stored on portable devices is properly protected so that–even if the device is lost or stolen–the data it contains will be safe.
Tags: data breach, portable data, removable media, USB drive, Zlock, Zserver Storage
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »
Thursday, January 6th, 2011
The breach of classified government and military data to WikiLeaks by Pfc Bradley Manning illustrates the extent of the insider threat. The authorized users with legitimate access to confidential and sensitive data pose a much greater risk to that data than some ethereal malicious hacker somewhere out there on the Internet.
To combat such threats, the Obama administration is urging all federal agencies to step up efforts to identify and thwart would-be ‘Bradley Mannings’. A document–ironically leaked to NBC news–”calls on agencies to hire psychiatrists and sociologists to measure the “despondence or grumpiness” of federal employees in order to “gauge trustworthiness.” It also urges the use of polygraph machines, and the monitoring of computer activities and signs of “high occurrences of foreign travel.”"
The Obama administration should be commended for recognizing the risk posed by insider access to sensitive information, and the new directives and policies are well-intentioned, but they seem very much like the TSA security at airports–much ado about nothing in a smoke and mirrors effort to appear secure while not really reducing the threat any.
Rather than relying on agency and department heads to closely monitor employees’ professional and personal activities, and investing money in psychological exams and polygraph tests, federal agencies should simply contact us at Zecurion. What government and military agencies really need are tools like Zlock to monitor and restrict the use of removable media without impeding its functionality, and Zgate to filter confidential and sensitive information to prevent it from being leaked via email or social networking sites.
Mr. President–feel free to contact me at bradley@zecurion.com or give me a call at 281-352-8201 so we can talk further.
Tags: data breach, data protection, WikiLeaks, Zgate, Zlock
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »
Monday, December 13th, 2010
In response to recent revelations on WikiLeaks, the United States military has banned all removable media–CDs, DVDs, USB thumb drives, etc.–from being used on the private military network for classified information under penatly of court-martial. The policy may slow down an information breach, but it won’t prevent it–and it gets in the way of legitimate, productive use of removable media at the same time.
The United States military has a little thing about classified information. It is not a fan of unauthorized exposure or compromise of classified information, so naturally the data breach incident with WikiLeaks has evoked a strong response. The problem is that the response goes too far in one respect–impeding the legitimate use of removable media to transfer data between machines–and not nearly far enough in others–failing to actually meet the goal of preventing future exposure of classified information.
Sharing classified information with unauthorized individuals is already against military rules. The threat of court-martial for willingly disseminating classified data did not stop the soldier from doing so, and I don’t expect that also making it against the rules to use a USB thumb drive would have slowed him down either. If the soldier had intent to breach protocol and share classified information, a policy against it will have little effect.
What the military–and any other organization with a need to protect sensitive data–needs is a clearly-defined policy governing the legitimate use of removable media, and tools in place–like Zecurion Zlock–to let IT admins monitor and control the flow of sensitive information.
Tags: data breach, information leakage, USB thumb drive, WikiLeaks, Zlock
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »
Friday, October 15th, 2010
Every little tidbit of information has value…to someone. A name, address, or birth date are good. A driver’s license or Social Security number is better. A bank or credit card account number is a jackpot. But, any one of those bits of information–and any combination thereof–can be put to use for identity theft or cyber fraud.
That is why events like the Accomack County worker’s laptop that was recently stolen while the employee was vacationing in Las Vegas should just not happen. It’s not that laptops shouldn’t get lost or stolen. It would be nice, but it’s impractical to expect. It’s not even necessarily that sensitive data like the names and Social Security numbers of 35,000 Accomack County taxpayers shouldn’t have been on the laptop when it was stolen. The laptop is used to conduct county business, and assuming this employee had a valid business reason for working with the data, then why shouldn’t it be on the laptop?
What shouldn’t happen is that sensitive information such as this should not be able to be transferred or stored without the IT admin having a record of when and where the data went, and the data should be encrypted to protect it against unauthorized access even in the event that the laptop is lost or stolen. People have to work with their laptops–that is why they have them. And, laptops will continue to get lost and stolen. But, with the right policies and tools in place, a lost or stolen laptop does not have to result in compromising sensitive data.
Tags: cyber fraud, data breach, identity theft, Social Security numbers, stolen laptop
Posted in Security Breaches & Data Loss Incidents | No Comments »
Saturday, October 2nd, 2010
Personal data on more than 7,000 Rice faculty, students, staff, and retirees was contained on a stolen storage device. The data was apparently not encrypted or protected, which means it may very well be exposed to or compromised by the thief, but there is no indication so far that the data has been used so far.
A report from Rice News and Media explains, “Late last month a device containing information for about 7,250 Rice faculty and staff, along with some students and retirees, was stolen. Over the past week administrators discovered that one of the files contained a list of Rice employees and students on the Rice payroll as of January 2010 and included information such as names, addresses, birth dates, employee identification numbers, salaries and emergency contacts, but no Social Security numbers. Another file included Social Security numbers, mostly for Rice employees.”
This is another example underscoring the need for data at rest to be encrypted–particularly sensitive data that can lead to identity theft if exposed to unauthorized users. Technology is becoming increasingly more portable and mobile, which–by definition–also makes it easier to lose or steal. There is little that any organization can do to eliminate the possibility of devices being lost or stolen, so instead organizations should be focused on tools and protection that ensure that the data contained on those devices can not be accessed even if the device is lost or stolen.
Tags: address, compromise, data breach, date of birth, faculty, Rice University, social security number, student data
Posted in Security Breaches & Data Loss Incidents | No Comments »
Tuesday, September 28th, 2010
A laptop belonging to an employee of St. Vincent Hospital in Indianapolis was stolen from the worker’s residence. That laptop contained medical history details and Social Security numbers of 1,200 hospital patients–and of course the data is not encrypted or protected in any way.
Rex McKinney, St. Vincent Hospital privacy officer stated, “We are committed to protecting the confidentiality and privacy of our patients and will continue to implement administrative, technical and physical safeguards against unauthorized disclosures of protected health information.”
That is all well and good, but in order to “continue” implementing safeguards you would have to have implemented some in the first place. The article also states that the hospital is taking “precautionary steps to avoid future incidents.”
The thing is that implementing controls in response to an incident after data has already been compromised is not “precautionary”–it’s reactionary. HIPAA (Health Insurance Portability and Accountability Act) compliance requirements already mandate that the data should have been protected to begin with. Putting basic protection in after the fact is hardly heroic or praiseworthy–it’s just public relations damage control.
When will organizations–particularly medical and educational institutions–learn that implementing solutions like Zecurion’s Zserver Storage is a simple, cost-effective solution that can prevent incidents like these and save the organization from facing the legal, financial, and reputation consequences of compromising sensitive data?
Tags: compromise, data breach, Social Security numbers, stolen laptop, Zserver Storage
Posted in Security Breaches & Data Loss Incidents | 1 Comment »
Monday, September 13th, 2010
What is it about education and healthcare that makes them the two industries comprising the vast majority of data breach incidents? Are there just more of them? Are they more valuable targets because of the data they contain? Or, do they simply not understand the importance of data security or how to implement it?
The City College of New York sent letters to about 7,000 students, notifying them that a stolen computer contained sensitive information and that their personal details–including name and Social Security number–might be compromised. The computer was password protected, but for an attacker with half a clue that poses only a trivial roadblock to gaining access.
Obviously, organizations–including education and healthcare institutions–need to store data of a private or sensitive nature, but that data should be properly safeguarded to ensure it can not be compromised or accessed by unauthorized users even if the computer or drive it is stored on is lost or stolen. Someday, maybe these organizations will learn that it is more cost-effective to implement appropriate security measures proactively than it is to deal with the fallout of a data breach.
Tags: college students, data breach, identity theft, Social Security numbers
Posted in Security Breaches & Data Loss Incidents | No Comments »
