Blog

Posts Tagged ‘social security number’

There Comes a Point Where It’s Willful Neglect

Monday, September 26th, 2011

Benefits Administration Services (BAS) revealed that a CD containing sensitive information on about 4,000 U.S. Steel Mining retirees and their dependents is lost in the mail somewhere. The CD is supposedly password protected, but the data it contains is not encrypted.  

I think we’ve all been pretty tolerant of data breaches up to now. Perhaps too tolerant.

We always give the benefit of the doubt to companies and their employees: “They didn’t mean to expose my Social Security number”, or “I’m sure it was an accident that the medical center posted my health record on the Web”, or “Well, it’s not my bank’s fault that the postal system lost the disc with my data on it.”

But, those excuses won’t fly any more. Companies and employees do know better. It is a simple matter of having solid data handling and data protection policies, and the tools in place to enforce them. That worker probably didn’t intend to expose your Social Security number, but a data loss prevention (DLP) tool could have prevented the inadvertent exposure. It probably was an accident that your medical records were posted online, but a DLP gateway would prevent that information from leaving the network. Your bank can’t guarantee that the post office won’t lose a disc in transit, but they can have tools in place to automatically encrypt data so that it is protected from unauthorized access.

In the past, we could forgive these things. But, data breaches are in the news almost daily. There are multiple industry, state, and federal mandates in place governing the effective protection of personal and sensitive data. No company or employee can claim ignorance at this point.

No. Now it’s a matter of willful neglect. Employees know what they’re supposed to do, but they’d rather take shortcuts and ignore data protection policies. Companies know what they’re supposed to do, but they’d rather save a buck and gamble with your personal data instead. 

DLP tools are not expensive–especially in relation to a data breach. There is no excuse.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Everything Is Bigger in Texas–Even Data Breaches

Tuesday, April 12th, 2011

Not to be outdone by the likes of Epsilon, Texas holds true to its popular tag line that “everything is bigger in Texas” with a larger than life data breach of its own. Heads rolled and people lost their jobs when it was discovered that sensitive information on more than 3.5 million people was left exposed to the public by the Texas Comptroller office.

The Epsilon data breach affected more individuals, but all that was compromised were email addresses, and perhaps the affiliation of an email address as a customer of a specific bank or retail establishment. The Texas breach, on the other hand, exposed much more useful data from an identity theft perspective: names, addresses, and Social Security numbers. In some cases, even dates of birth and driver’s license numbers were compromised.

Tsk, tsk Texas. To borrow a quote from Benjamin Franklin, “an ounce of prevention is worth a pound of cure.”

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Rice Faculty and Student Data at Risk

Saturday, October 2nd, 2010

Personal data on more than 7,000 Rice faculty, students, staff, and retirees was contained on a stolen storage device. The data was apparently not encrypted or protected, which means it may very well be exposed to or compromised by the thief, but there is no indication so far that the data has been used so far.

A report from Rice News and Media explains, “Late last month a device containing information for about 7,250 Rice faculty and staff, along with some students and retirees, was stolen. Over the past week administrators discovered that one of the files contained a list of Rice employees and students on the Rice payroll as of January 2010 and included information such as names, addresses, birth dates, employee identification numbers, salaries and emergency contacts, but no Social Security numbers. Another file included Social Security numbers, mostly for Rice employees.”

This is another example underscoring the need for data at rest to be encrypted–particularly sensitive data that can lead to identity theft if exposed to unauthorized users. Technology is becoming increasingly more portable and mobile, which–by definition–also makes it easier to lose or steal. There is little that any organization can do to eliminate the possibility of devices being lost or stolen, so instead organizations should be focused on tools and protection that ensure that the data contained on those devices can not be accessed even if the device is lost or stolen.

Tags: , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Arkansas National Guard Loses Unencrypted Drive

Wednesday, March 10th, 2010

The Arkansas National Guard lost an external hard drive containing unencrypted data. The data on the drive included the Arkansas National Guard personnel file dating back to 1991–complete with names, social security numbers and other personal information which could put the affected Soldiers at risk for identity theft.

Thus far, there is no evidence to suggest foul play. The Guard remains hopeful that the drive is simply misplaced. However, the Guard is making every effort to identify those affected and alert them of the potential data risk.

That is good news–assuming that the Guard is correct and the data isn’t in the hands of anyone with malicious intent. But, what if they’re wrong? Or, what if they’re right that the drive was innocently misplaced, but someone with less-than-honorable intentions locates it before they do?

The fact is that the Arkansas National Guard–and any other organization storing sensitive or confidential information–could have avoided any potential breach of the data by encrypting it. A lost drive doesn’t have to put data at risk if the data it contains is properly protected.

Zecurion Zserver Suite protects data at rest. Zserver Storage’s hard disk encryption functions transparently, ensuring the safety and security of data even if the storage media device is removed–as is often the case for external hard drives. None of the data, including the file allocation tables or any Zserver Storage supporting files, are accessible without authorized encryption keys.

Zserver Storage encrypts most types of data storage hardware and devices including IDE and SCSI hard drives, RAID mirrored drives, CD/DVD optical disks and magnetic tapes, making Zserver Storage a viable, cost-effective alternative to other encrypted storage hardware solutions such as network storage appliances.

The bottom line is that it is unreasonable to expect users not to store sensitive or confidential data on drives–whether internal or external. It should be assumed that drives will contain such information, and organizations should proactively encrypt the data using a product like Zserver Suite to ensure it is protected from unauthorized access no matter where the drive ends up.

Tags: , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

North Carolina Server Breach Exposes Sensitive Data

Sunday, December 20th, 2009

More than 50,000 users had sensitive information, including drivers license and Social Security numbers, exposed during a server breach in August. The breach of a server at the community college System Office in Raleigh occurred on August 23rd, and officials were aware as of August 24th. An investigation was allegedly begun immediately, but news of the breach was just made public this week–almost four months later.

The official press release regarding the incident explains “The NC Community College System Office began notifying nearly 51,000 library users from 25 community colleges that a security breach occurred on a computer server containing their personal information, including Social Security or driver’s license numbers. All reviews and investigations indicate that no personal information was accessed by the intruder. However, library users with such information on the server will soon begin receiving letters explaining the attack, steps being taken to prevent future breaches and actions they may take to protect their credit and to ensure protection from identify theft.”

The press release describes the attack as a succesful password cracking attempt via the Internet. There are some other questions to answer regarding password complexity and/or how an attacker was able to conduct a password cracking remotely from the Internet, but had the data on the server been encrypted it would have been protected even if the actual server security was breached.  

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »