Blog

Posts Tagged ‘personal information’

Israeli Data Breach Has Terrorist Implications

Thursday, October 27th, 2011

Any time personal details and sensitive information are breached it’s a problem. Most of the time, though, people are concerned with receiving more spam, or–at worst–identity theft that could lead to funds being taken from bank or investment accounts, or debt being run up in the name of the victim. A data breach in Israel, however, put the details of virtually the entire population at risk in a way that could be used by terrorists or opposition forces to target certain demographics or individuals.

The compromised data includes names, ID numbers, addresses, birth dates, and other sensitive data such as relationships between individuals for 9 million Israeli citizens. The information was illegally distributed in a program called Agron 2006 which enables users to query the database and drill down through the data to identify demographic sectors of society, and trace the relationships between key individuals. In the wrong hands, this information could be used to target certain groups or individuals, and put their extended families and friends at risk as well.

The Justice Ministry investigation has been ongoing for five years, and just recently resulted in the arrest of six individuals. Bringing responsible parties to justice is important, but the proverbial horse has already escaped the barn. Hopefully the Israeli government has implemented better data encyrption and data loss prevention tools to prevent such incidents from occurring in the first place in the future.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Gigabytes of Data Gone in a Flash

Thursday, March 3rd, 2011

Have you ever lost a USB thumb drive? I have so many, I am not even sure I would notice if one was missing. I am positive that some have been misplaced over time. Thankfully, none of my USB thumb drives have any private or sensitive information I care about on them. Lost thumb drive? No sweat. The next tech conference or event I go to, I am bound to get three or four new ones.

For many companies, unfortunately, thumb drives also get lost–but contain sensitive data that is not properly protected. For example, an employee of the Henry Ford Health System in Michigan recently lost a USB flash drive containing unencrypted information on nearly 3,000 patients.

Apparently, Henry Ford Health System has a policy in place mandating that such data be encrypted. The article states, “The device is not encrypted as required to protect individual patient information.” It also says, “hospital officials said it’s still unclear how the flash drive was lost.”

I think this brings up two valuable points. First–it is only marginally relevant how the flash drive was lost. Maybe it was stolen. Maybe it got left in a pair of pants and washed with the laundry. Maybe it fell out of the employee’s pocket. The bottom line is that determining how the USB flash drive was lost is unlikely to yield any useful results to prevent a similar occurrence in the future.

Second, it demonstrates that an unenforced policy is about as effective as not having a policy in the first place. Whether the employee intentionally ignored the policy, or made an honest mistake, the fact is the policy wasn’t followed and now personal information on almost 3,000 patients is assumed exposed or compromised as a result.

Establishing a policy is an important step, but it is just a first step, not the end of the journey. IT admins need to have tools in place that can monitor systems and ensure the policy is followed and enforced as well.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Disgruntled Employee Exposes Client Data

Tuesday, February 15th, 2011

A former San Francisco city employee breached the confidential data of nearly 2,500 Medi-Cal recipients in an effort to make a case defending the “poor performance” that led to her dismissal.

The client data–which includes Social Security numbers, and other sensitive personal data, was sent to her own home PC, but was also exposed to her attorneys and union representatives.

Given the reason for breaching the data, and the limited audience with which the information was allegedly shared, it seems highly unlikely that any of the client information will be used for identity theft or any other nefarious purposes. However, that doesn’t change the fact that the data should not be exposed or compromised.

The fired worker in question ostensibly had a legitimate business purpose for having access to the data in question. The incident illustrates, though, that organizations need to have better monitoring and filters in place to control what happens with that data, or where that data is allowed to be sent or saved even when it is accessed by an authorized individual. Obviously, there will be some workers who need to have access to sensitive information, and organizations need tools to prevent that data from going any further or being shared with or exposed to unauthorized individuals.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

$6.5 Million is a Lot to Gamble

Wednesday, May 12th, 2010

Section 13402(e)(4) of the HITECH Act, requires that the Secretary of Health and Human Services post a list of breaches of unsecured protected health information affecting 500 or more individuals.  

Since HHS began tracking and posting these breaches in late September of 2009, there have been 77 such incidents, impacting a total of 2.4 million individuals. That is an average of more than 30,000 breached records containing personal information for each incident. A 2009 study by the Ponemon Institute found that the average cost of a data breach in the United States is $208 per compromised record, making the average cost of these 77 data breaches over $6.5 million.

Some of the data breaches were the result of physical data–forms and paperwork–being thrown into a dumpster. But, nearly 75 percent of the incidents involved unencrypted data stored on servers, backup tapes, or portable storage media.

Applying the averages–here is the bottom line: 56 out of 77 incidents could have been prevented if those organizations used Zecurion Zserver Suite to encrypt and protect data. That means that nearly 1.8 million of the 2.4 million affected individuals would not have had their personal data compromised, and that thesr organizations could have avoided a combined $364 million in costs to clean up after the breach.

The investment in proactively protecting data is significantly less than the cost of reacting to a data breach incident, and it doesn’t have the long-term negative impact to the organization’s credibility and reputation.

Tags: , , ,
Posted in Data Storage Security | 2 Comments »

A Server Breach Does Not Have to be a Data Breach

Monday, January 11th, 2010

Stop and think about your bank for a minute. Do they pile the money up in the middle of the lobby? Why not?–There are locks on the doors.

No. The bank does have locks on the doors…and an alarm system…and armed security guards…and video surveillance…and yet, they still keep the money locked in a vault–just.in.case. Even if intruders manage to break through or bypass all of the other security measures, the money will still not be compromised because it is in a locked vault.

Organizations need to treat sensitive data the same way banks treat money. The security controls in place–firewalls, intrusion detection, antimalware, etc.–are great, and necessary, but sensitive information like Social Security numbers, account numbers, etc. needs to be encrypted for that extra measure of protection to ensure it can not be breached even if malicious intruders manage to cricumvent the other security controls.

The school district in Eugene, OR had security in place on its server, but attackers were able to bypass it. That server contained information on 13,000 current and former employees including names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information. If the school district had encrypted the data on the server using a tool like Zecurion ZServer Storage, the sensitive information could have been protected even though attackers breached the server.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 9 Comments »

Laptop Stolen, But Security Measures Make Data Compromise Unlikely

Thursday, December 17th, 2009

A story from CNN today reports that a laptop containing personal information on approximately 42,000 Fort Belvoir Morale, Welfare and Recreation (MWR) patrons was stolen over the Thanksgiving holiday weekend. The focus of the CNN story seems to center on the fact that it took two weeks for the military to respond and alert those whose information may be compromised by the theft. It goes on to exclaim that this is not the first time the military has had a laptop stolen, but assures us that there is a bill currently in the Senate which would call for greater protection for mobile data.

What seems to be somewhat glossed over in the CNN story is the fact that this data was protected. CNN does mention it when it says “information security experts for the Army say it’s unlikely that the information will be compromised because the data are guarded by three layers of security and encryption passwords.” But, somehow that part seems buried under the rest of the story as if we’re not supposed to care about it.

I am not sure we can ask much more. Portable computers like laptops and netbooks are trending up in sales, and portable storage like USB flash drives and external hard drives are relatively cheap.  The convenient and portable size of the computers also makes them easy and convenient to steal. The bottom line is that there is a lot of sensitive information being carried around on these devices.

Companies and individuals need to operate under the assumption that a laptop will be stolen. I am not suggesting that laptop theft is so rampant that there is no way to avoid it, I am just suggesting that the data on the laptop be treated as if its theft were a sure thing. If you knew, for a fact, that your laptop would be stolen tomorrow, what kind of security would you have on it to protect the information it contains? Which data is so sensitive that you would add extra layers of security and encryption to virtually guarantee that it can’t be compromised?

In this case, perhaps the military should have notified individuals sooner. It can also be argued that, because of the security controls and encryption in place, the military didn’t need to notify anyone at all. By placing adequate protection on the laptop the military essentially ensured that the thief might be able to use or sell the laptop, but they won’t be accessing any of the data it contains.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Minnesota Employee Data Exposed by Lookout Services

Tuesday, December 15th, 2009

Personal information related to hundreds of Minnesota state employees has been publicly available on the Web for months–unencrypted and without any sort of password protection. Minnesota entered into a two-year deal with Texas-based Lookout Services to use its “seamless Fail Safe I-9 E-verify process”, but all state agencies have been ordered to stop using the service following discovery of the data breach.

Exposed data included employee names, birth dates, Social Security numbers and hire dates for every Minnesota state agency using the service, as well as personal data from a variety of other Lookout Services clients.

Lookout Services is one of about 13,000 firms registered with the Department of Homeland Security (DHS) to process E-verify checks to determine citizenship and employment eligibility for prospective employees. However, Bill Wright, deputy press secretary for U.S. Citizenship and Immigration Services–the agency within DHS responsible for E-verify checks– responded saying “Is there a requirement to notify if there has been a security breach? The answer is no.”

The state of Minnesota, however, disagrees with  that philosophy. Minnesota is one of 46 states that does require victims be notified in the event of a data security breach. The Minnesota legislation requires that victims whose data has been exposed to unauthorized access be notified as soon as possible about the breach.

The responsibility for protecting the data ultimately lies with the companies or agencies it was originally entrusted to. Part of the process of engaging a third-party to handle such sensitive information is to ensure they have strong policies and procedures, and adequate security controls in place to safeguard the information. Apparently, Minnesota didn’t do its due diligence prior to partnering with Lookout Services.

Tags: , , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »