Blog

Posts Tagged ‘identity theft’

Keep An Eye On Sensitive Information

Friday, October 15th, 2010

Every little tidbit of information has value…to someone. A name, address, or birth date are good. A driver’s license or Social Security number is better. A bank or credit card account number is a jackpot. But, any one of those bits of information–and any combination thereof–can be put to use for identity theft or cyber fraud.

That is why events like the Accomack County worker’s laptop that was recently stolen while the employee was vacationing in Las Vegas should just not happen. It’s not that laptops shouldn’t get lost or stolen. It would be nice, but it’s impractical to expect. It’s not even necessarily that sensitive data like the names and Social Security numbers of 35,000 Accomack County taxpayers shouldn’t have been on the laptop when it was stolen. The laptop is used to conduct county business, and assuming this employee had a valid business reason for working with the data, then why shouldn’t it be on the laptop?

What shouldn’t happen is that sensitive information such as this should not be able to be transferred or stored without the IT admin having a record of when and where the data went, and the data should be encrypted to protect it against unauthorized access even in the event that the laptop is lost or stolen. People have to work with their laptops–that is why they have them. And, laptops will continue to get lost and stolen. But, with the right policies and tools in place, a lost or stolen laptop does not have to result in compromising sensitive data.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

City College of New York Gets an “F” in Data Protection

Monday, September 13th, 2010

What is it about education and healthcare that makes them the two industries comprising the vast majority of data breach incidents? Are there just more of them? Are they more valuable targets because of the data they contain? Or, do they simply not understand the importance of data security or how to implement it?

The City College of New York sent letters to about 7,000 students, notifying them that a stolen computer contained sensitive information and that their personal details–including name and Social Security number–might be compromised. The computer was password protected, but for an attacker with half a clue that poses only a trivial roadblock to gaining access.

Obviously, organizations–including education and healthcare institutions–need to store data of a private or sensitive nature, but that data should be properly safeguarded to ensure it can not be compromised or accessed by unauthorized users even if the computer or drive it is stored on is lost or stolen. Someday, maybe these organizations will learn that it is more cost-effective to implement appropriate security measures proactively than it is to deal with the fallout of a data breach.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Cooper University Reports Personal Data on Missing Thumb Drive

Monday, August 2nd, 2010

ABC News in Philadelphia–WPVI–reports that Cooper University Hospital is missing a USB thumb drive containing sensitive personal data on medical students, residents, and fellows.

It is unknown whether the thumb drive was stolen, or simply lost. But, what is known is that the missing thumb drive contains Social Security numbers, addresses, and phone numbers of the affected individuals.

Cooper University Hospital issues a statement explaining “Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive. The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years. We have advised the residents and fellows who were advised to contact their local police. No other employee information was compromised. Further, No patient information or records were compromised.”

There is no indication that the data on the thumb drive was a violation of policy in any way, but it is worth noting that USB thumb drives are a significant security concern for all organizations. Portable storage media capable of holding 32Gb or more of data could contain untold volumes of sensitive or confidential information. IT admins should employ Zecurion’s Zlock to restrict access for storing data on removable media. For additional data protection, the data on removable or portable media should also be encrypted so it can’t be compromised even if the device is lost or stolen.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

State Laws Encourage Backup Encryption

Sunday, January 24th, 2010

I heard a rumor recently that Iron Mountain, a leading provider of offsite storage for backup data, was implementing a new policy that all customer data must be encrypted.

It makes sense. Unencrypted backup media seems to be an increasingly common source of data breaches. Chase Bank lost data on an unencrypted backup tape. Information Vaulting Services lost a backup tape from the state of Arkansas containing unencrypted personal information on over 800,000 individuals. A third-party storage vendor lost an unencrypted backup tape from Bank of New York Mellon with sensitive information from 4.5 million customers. The list goes on, and on, and on…..and on.

While the organization entrusted with the data–Chase Bank, the state of Arkansas, or Bank of New York Mellon in the cases cited above–ultimately must pay the price for the data breach, both in terms of the broken trust with customers and damaged reputation, as well as any fines, penalties, and the cost of notifying and protecting customers, the fact is that these losses also reflect poorly on the third-party organizations responsible for securely storing the backup media.

Organizations like Iron Mountain that provide offsite storage have no way of knowing what data is contained on the media it stores for its customers, nor whether or not that data is encrypted or protected in any way. A tape is a tape is a tape and they are all handled and treated the same. Granted, a company that exists to provide secure offsite storage for backup data should not lose its customer’s backup media, but it shouldn’t bear any additional responsibility for personal or sensitive information being compromised as a result.

It turns out that the rumor I heard was incorrect. I spoke with Iron Mountain and I was told that it does not require customers to encrypt backup data–although it does believe its a good idea and highly recommends that customers consider doing so.

Apparently, the rumor stems, at least in part, from laws enacted in Nevada and Massachusetts. Those state laws require that personal information that could lead to identity theft be protected–even on backup media. Iron Mountain may not require it, but Nevada and Massachusetts do require that organizations in those states, or that conduct business in those states and/or result in personal information from citizens of those states being retained, encrypt information on backup media.

Suffice it to say, its just a good idea. Data at rest should be encrypted whether it is stored on servers on your internal network, or backup media stored offsite with a third-party.

Tags: , , , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

Minnesota Employee Data Exposed by Lookout Services

Tuesday, December 15th, 2009

Personal information related to hundreds of Minnesota state employees has been publicly available on the Web for months–unencrypted and without any sort of password protection. Minnesota entered into a two-year deal with Texas-based Lookout Services to use its “seamless Fail Safe I-9 E-verify process”, but all state agencies have been ordered to stop using the service following discovery of the data breach.

Exposed data included employee names, birth dates, Social Security numbers and hire dates for every Minnesota state agency using the service, as well as personal data from a variety of other Lookout Services clients.

Lookout Services is one of about 13,000 firms registered with the Department of Homeland Security (DHS) to process E-verify checks to determine citizenship and employment eligibility for prospective employees. However, Bill Wright, deputy press secretary for U.S. Citizenship and Immigration Services–the agency within DHS responsible for E-verify checks– responded saying “Is there a requirement to notify if there has been a security breach? The answer is no.”

The state of Minnesota, however, disagrees with  that philosophy. Minnesota is one of 46 states that does require victims be notified in the event of a data security breach. The Minnesota legislation requires that victims whose data has been exposed to unauthorized access be notified as soon as possible about the breach.

The responsibility for protecting the data ultimately lies with the companies or agencies it was originally entrusted to. Part of the process of engaging a third-party to handle such sensitive information is to ensure they have strong policies and procedures, and adequate security controls in place to safeguard the information. Apparently, Minnesota didn’t do its due diligence prior to partnering with Lookout Services.

Tags: , , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Patient Data Leaked to Local Attorneys by Hospital Worker

Sunday, December 13th, 2009

The University Medical Center (UMC) in Las Vegas is in hot water after it was discovered that at least one hospital employee has been leaking personal information of accident victims to local attorneys so that the lawyers could solicit the patients as clients. The breach of patient data violates federal HIPAA (Health Insurance Portability and Accountability Act) guidelines and could result in fines up to $1.5 million.

According to an article from the Las Vegas Review-Journal, the potential HIPAA fines are divided into four categories with a total maximum of $1.5 million:

  • If the hospital shows it didn’t know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
  • If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
  • If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
  • If it takes longer than 30 days, the fines start at $50,000.

The hospital received fairly high marks from a county auditor for HIPAA compliance, but with a few notable flaws. The auditor identified issues with patient records being left unattended, outgoing email with sensitive information being transmitted without encryption, and no record of what information was disclosed to third-parties in some cases. Any of these data protection weaknesses could come back to haunt UMC both with the federal investigation and fines, as well as with any subsequent civil suits arising from the breach of confidentiality.

Health and medical institutions like UMC would benefit from using tools to enforce data security policies and monitor and restrict the data that is sent to networked printers or saved to removable media, and software that can scan and filter outbound email to ensure sensitive information is not transmitted unencrypted.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »