Blog

Posts Tagged ‘sensitive data’

Honda Canada Hack Exposes Data on 280,000 Customers

Friday, May 27th, 2011

Honda Canada is informing some 280,000 customers of a data breach that exposed their personal data. The actual attack was discovered a couple months ago, but Honda Canada had to first determine the scope and impact of the attack before it could begin notifying customers.

There is some good news as well, though–at least good news relative to having data on 280,000 customers compromised. According to the notice sent by Honda to customers, the data that was exposed did not include sensitive details such as Social Security numbers, driver’s license information, birth dates, phone numbers or credit card numbers.

Good news aside, the delay in reporting the attack highlights an issue faced by many companies–they lack the archiving and logging that would make a forensic investigation of an incident much easier. IT admins should have tools in place to A) monitor outbound traffic and block sensitive data from being compromised or exposed, and B) create an audit trail for data that is allowed out so that IT admins can quickly and easily identify which data may be impacted by a security incident.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Don’t Tell Me How Much You Value My Privacy

Tuesday, May 10th, 2011

With the number of massive, high-profile data breaches that have occurred in recent months, there is a very good chance you have received at least one notice from a vendor letting you know that your personal data or account information may have been compromised or exposed. Without fail, those notices start with something to the effect of “Your privacy is our number one priority”, or “We value the security of your personal data above all else”. Please. If that were true, you wouldn’t be sending me the notice in the first place.

Do you really want to show me how much you value my privacy, or how much of a priority it is for you to protect my personal information? Try more proactive action to prevent it from being compromised or exposed, and less apologizing after the fact for your failure to do so. Honestly, with each passing data breach that makes the headlines it becomes less and less excusable for organizations to not take steps to put the tools in place to prevent data from getting breached.

I am not suggesting that the network itself should be impenetrable, or that laptops or portable storage drives should never be lost or stolen. Those things are not truly possible. But, with the right tools and security measures in place, a hacked network won’t expose sensitive information, and a laptop or portable drive in the wrong hands won’t mean that personal data is potentially compromised.

Doing the right thing up front will not only earn you my respect, and help you avoid having to send out those condescending notifications, but it is also significantly less costly than the consequences and fallout of a data breach.

Tags: , , ,
Posted in Data Storage Security | 2 Comments »

Protect Data with Digital Fingerprinting

Monday, April 25th, 2011

A file name seems like an obvious way to uniquely identify files. Within a single folder, you can’t have two files of the exact same name, so that method works…in that folder. However, you can have the exact same file name in multiple folders, and those files may have absolutely nothing to do with each other. And, what happens if someone takes a sensitive file and simply renames it, or copies confidential data from the file and pastes it into a new file? Without knowing what the new file is called, it is a daunting task to make sure that any sensitive contents in that file don’t leave the network.

Well, lets look at a similar example using people. You may recognize an individual, but what if the person wears a wig, or a false mustache, or changes clothes? Regardless of the outward appearance, people can still be uniquely identified by their fingerprints. They are distinct from any other. The same logic can be applied to a file–creating a digital fingerprint that identifies the file even if the file is renamed, or the contents are copied into some other file or format.

The concept of a cryptographic hash, or message digest is a form of this type of unique identification. The cryptographic hash uses an algorithm to create a unique key for the file. The key can be used to determine that the file is legitimate, and has not been altered in any way based on whether the message digest of a given copy of that file matches the original.

Digital fingerprinting takes a broader approach capable of looking beyond simply validating the integrity of the original file, to being able to identify the contents of fingerprinted files even if portions of the content are copies and pasted into other files, or completely different file formats.

Digital fingerprinting is a crucial element for preventing sensitive or confidential data from being exposed or compromised, and keeping your data on your network where it belongs.

Tags: , , , , ,
Posted in Data Storage Security | 1 Comment »

Emailing Sensitive Data

Thursday, February 3rd, 2011

While the primary aim for most companies is to ensure that sensitive or confidential information is not sent out via email, for some industries the sharing of sensitive information is a business necessity. The medical, finance, and insurance industries all need to be able to exchange private or confidential information with customers. The trick is to share the information in a secure manner that protects it from unauthorized view.

Once upon a time, a medical benefits processing company I was working with needed to confirm some contract details with me via email. They had a gateway solution in place to prevent sending out sensitive information. Instead, the solution stored the message securely on a local server, then sent me an email with a link to access it over an encrypted HTTP connection. Fair enough. Except the part where they included the password necessary to access the encrypted data with the email containing the link. Oops.

Fast forward a year or two. I recently switched banks and I needed to change the automatic payment info with my life insurance company. Apparently my life insurance has a similar solution in place for protecting sensitive data, because what I received was a more or less blank email with an HTML attachment of some sort. I clicked the attachment and it asked for a password–a password I had never created and had no idea what it might be. I just typed in a random password I sometimes use, which it accepted and then took me to an initial login screen requiring me to change/create my password. So, they had enough sense to try and safeguard my private information from unauthorized access, but sent it as an email attachment requiring a password that you get to make up as you go? Well, that’s secure.

Companies like these need to have ways to protect sensitive data, and also must meet data protection compliance requirements such as HIPAA / HITECH, and PCI DSS. I question, though, just how secure my data really was in either instance. Obviously, there are some serious flaws in both solutions. Companies need tools that can identify and filter sensitive information, and deliver data securely when warranted.

Tags: , , ,
Posted in Data Storage Security | 1 Comment »

An Unenforced Policy is the Same as No Policy at All

Friday, June 4th, 2010

The West Berkshire Council has just learned this lesson the hard way. According to a recent report of lost data “West Berkshire introduced encrypted memory sticks in 2006. But following an investigation by the Information Commissioner’s Office (ICO), it was also discovered that council employees were still using unencrypted memory sticks.”

In a perfect world, simply stating that data should only be stored on approved USB devices, and that all data on portable storage media must be encrypted would be good enough. In the real world, though, simply stating it is not good enough. Stating a policy–without any means of monitoring or enforcing compliance with it–is simply paying lip service to data protection and gambling that a data breach incident will never occur.

West Berkshire Council lost that gamble when an unencrypted USB memory stick containing sensitive information relating to the ethnicity, and mental and physical health of children was lost. The report also contains this quote “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”

The best option to ensure correct safeguards are in place is Zlock. Zlock allows IT administrators to restrict users from writing to data to unapproved portable storage media. Access can be locked down to devices from a particular manufacturer, or of a particular type. A specific USB memory stick can be associated with each individual user, and all other memory sticks can be blocked.

In the case of West Berkshire Council, Zlock would have been instrumental in ensuring  that users relied on the encrypted USB memory sticks they were issued four years ago, rather than storing data on the now lost unencrypted USB memory stick.

Tags: , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »