Another article, this time from the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites contain enough information to make identity thieves very happy. A twist on this particular story, however, is that these drives are being traced back to employees who work at home on their personal computers (personal as in the state of ownership, not the size of the computer). Information protection services like AlertBoot data encryption software would help prevent such breaches...but can a company dictate that employees use encryption on their home PCs?
Another article, this time from the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites contain enough information to make identity thieves very happy.
A twist on this particular story, however, is that these drives are being traced back to employees who work at home on their personal computers (personal as in the state of ownership, not the size of the computer). Information protection services like AlertBoot data encryption software would help prevent such breaches...but can a company dictate that employees use encryption on their home PCs?
A study by Ernst & Young has revealed that used drives bought for as little as five Euros can contain extremely sensitive information such as bank account details, confidential e-mails, etc. In most cases, the sellers hadn't even erased the information, and were readily accessible. Some had gone through the process of deleting files or reformatting the drive; however, as the E &Y guys correctly pointed out, it's still easy to retrieve data. Reformatting the drive, for example, doesn't really erase data. What it does is the following: Erases data on the address tables (i.e., bookkeeping information to keep track of where your data files can actually be found. Information for the same file can be separated into chunks and saved in different parts of your drive, and is reassembled when called for) Runs disk checks to figure out sector reliability, and mark the bad ones as unusable Creates a new address table since the old one was erased In other words, most of your data is still there...it's just that the computer can't find it on its own (on account of having deleted the address tables). However, there is plenty of cheap software out there that can recover this information for you. Likewise, deleting data just marks a particular area in the hard drive as "available for data to be written."
A study by Ernst & Young has revealed that used drives bought for as little as five Euros can contain extremely sensitive information such as bank account details, confidential e-mails, etc.
In most cases, the sellers hadn't even erased the information, and were readily accessible. Some had gone through the process of deleting files or reformatting the drive; however, as the E &Y guys correctly pointed out, it's still easy to retrieve data.
Reformatting the drive, for example, doesn't really erase data. What it does is the following:
In other words, most of your data is still there...it's just that the computer can't find it on its own (on account of having deleted the address tables). However, there is plenty of cheap software out there that can recover this information for you.
Likewise, deleting data just marks a particular area in the hard drive as "available for data to be written."
Technically, there is no way to "delete" data. As pointed out, what gets deleted is essentially the way for the computer to retrieve that particular piece of information. The only way to "delete" data is to replace it. And, the only way to replace data is to write over it with new data. In fact, what your IT department does prior to tossing a hard disk is pretty simple: use data writing software on them to write random information throughout the disk. Run it three times or so for modern disks, and it's pretty much guaranteed that the old data--the sensitive e-mails, bank account numbers, etc.--will not be recoverable.
Technically, there is no way to "delete" data. As pointed out, what gets deleted is essentially the way for the computer to retrieve that particular piece of information. The only way to "delete" data is to replace it.
And, the only way to replace data is to write over it with new data. In fact, what your IT department does prior to tossing a hard disk is pretty simple: use data writing software on them to write random information throughout the disk.
Run it three times or so for modern disks, and it's pretty much guaranteed that the old data--the sensitive e-mails, bank account numbers, etc.--will not be recoverable.
The use of encryption software can also achieve the same degree of security, since information is stored in a random format (it only turns back into usable information when a password is provided). Assuming the password to access the encrypted disk is not attached to the drive, the contents of the drive are secure when one decides to sell it on eBay. The problem is--and I'm not lawyer but I think this sounds about right--a company can't dictate what one does with his personal property. I guess the correct solution would be not to allow corporate files to be downloaded to home computers, or to only allow encrypted files to be downloaded, or even to give corporate laptops employees working from home. Since that particular computer is company property, installing encryption and protecting the contents would be feasible.
The use of encryption software can also achieve the same degree of security, since information is stored in a random format (it only turns back into usable information when a password is provided). Assuming the password to access the encrypted disk is not attached to the drive, the contents of the drive are secure when one decides to sell it on eBay.
The problem is--and I'm not lawyer but I think this sounds about right--a company can't dictate what one does with his personal property. I guess the correct solution would be not to allow corporate files to be downloaded to home computers, or to only allow encrypted files to be downloaded, or even to give corporate laptops employees working from home.
Since that particular computer is company property, installing encryption and protecting the contents would be feasible.
Related Articles and Sites:http://www.irishtimes.com/newspaper/finance/2009/0703/1224249965663.html
State Rep. Frank Dermody, a Pennsylvania state representative, has had his state-issued laptop computer stolen. There was no sensitive data on the computer, according to the Pittsburgh Tribune-Review. This is probably the best type of data security one could have: no sensitive data means no data breach. But, this doesn't preclude the need for data security software like hard disk encryption from AlertBoot.
The problem with computers is that generally one can't be absolutely sure that there was no sensitive information stored on them. Sure, they start out being used for some "official" purpose, and documents are signed and initialed to establish that a computer user has read and understood an agency's computer security policies. But soon enough, the use of that computer devolves to other things as well, especially for laptop computers. Why? Because they are portable, and can be taken outside a workplace; and once they're out of the workplace... Maybe the kids will want to surf the net, and the home computer has been sent for repairs, so one turns to the work computer. Or maybe the home computer can't be trusted, and one knows the workplace computer is better protected and maintained, so that's used for on-line banking...which actually turns out to be a phishing scam. So, even though it may not be the case in this particular instance, the use of information security programs like encryption software, antivirus software, and other programs (as needed) should be installed on a computer.
The problem with computers is that generally one can't be absolutely sure that there was no sensitive information stored on them. Sure, they start out being used for some "official" purpose, and documents are signed and initialed to establish that a computer user has read and understood an agency's computer security policies.
But soon enough, the use of that computer devolves to other things as well, especially for laptop computers. Why? Because they are portable, and can be taken outside a workplace; and once they're out of the workplace...
Maybe the kids will want to surf the net, and the home computer has been sent for repairs, so one turns to the work computer. Or maybe the home computer can't be trusted, and one knows the workplace computer is better protected and maintained, so that's used for on-line banking...which actually turns out to be a phishing scam.
So, even though it may not be the case in this particular instance, the use of information security programs like encryption software, antivirus software, and other programs (as needed) should be installed on a computer.
In the case of our state representative above, I get the feeling that disk encryption was used on the now-missing laptop. According to the Pittsburgh Tribune-Review, the legislature's IT department "erased [Rep. Dermody's] password" when he contacted them about the laptop's theft. Which, outside the context of encryption, doesn't make much sense. For example, let's say that there was password-protection on that computer. If one gets rid of the password...well, what's protecting it? On the other hand, if an encrypted computer's password is deleted, encryption still protects the contents of that computer. In fact, getting rid of the password is probably the best policy if a computer gets stolen. This way, the only way to gain access to the computer is by figuring out the encryption key, which is harder to randomly guess than a password (well, assuming your IT guy did his job properly).
In the case of our state representative above, I get the feeling that disk encryption was used on the now-missing laptop. According to the Pittsburgh Tribune-Review, the legislature's IT department "erased [Rep. Dermody's] password" when he contacted them about the laptop's theft.
Which, outside the context of encryption, doesn't make much sense. For example, let's say that there was password-protection on that computer. If one gets rid of the password...well, what's protecting it?
On the other hand, if an encrypted computer's password is deleted, encryption still protects the contents of that computer. In fact, getting rid of the password is probably the best policy if a computer gets stolen. This way, the only way to gain access to the computer is by figuring out the encryption key, which is harder to randomly guess than a password (well, assuming your IT guy did his job properly).
Related Articles and Sites:http://www.pittsburghlive.com/x/pittsburghtrib/news/breaking/s_631883.html
Definition of "breach of security" and "personal information" What to do in the event of a breach Notifications - How To New Jersey's personal information data breach laws contain a safe harbor for entities that use encryption (specifically, the New Jersey Statute 56:8-161 and 56:8-163). I'm not a lawyer, but thankfully the law is written clearly and is easy to follow.
New Jersey's personal information data breach laws contain a safe harbor for entities that use encryption (specifically, the New Jersey Statute 56:8-161 and 56:8-163). I'm not a lawyer, but thankfully the law is written clearly and is easy to follow.
As defined under 56:8-161, when it comes to data, a "breach of security" is ...unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [my emphasis] Of course, the law being the law, a definition of "personal information" is also required. It's actually a combination of factors. First, personal information must include a last name and either a first name or the first initial, and it must be combined with any of the following: Social Security number; Driver's license number or State identification card number; or Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
As defined under 56:8-161, when it comes to data, a "breach of security" is
...unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [my emphasis]
Of course, the law being the law, a definition of "personal information" is also required. It's actually a combination of factors. First, personal information must include a last name and either a first name or the first initial, and it must be combined with any of the following:
If your company loses, say, a laptop computer or a USB stick, and it was not protected via encryption software, it will have to disclose said breach to customers. The law does give the company some leeway. According to 56:8-163, disclosure is not necessary if the company "establishes that misuse of the information is not reasonably possible." One can see how such a provision could be abused. For example, even if hard disk encryption was not used on a stolen laptop with sensitive info, one could (in a state of denial or drug-induced misjudgment) come to the conclusion that there's no risk to the customers. Which is why the law also requires that "any determination shall be documented in writing and retained for five years." In other words, you may have to justify your conclusions if the law comes knocking around.
If your company loses, say, a laptop computer or a USB stick, and it was not protected via encryption software, it will have to disclose said breach to customers.
The law does give the company some leeway. According to 56:8-163, disclosure is not necessary if the company "establishes that misuse of the information is not reasonably possible."
One can see how such a provision could be abused. For example, even if hard disk encryption was not used on a stolen laptop with sensitive info, one could (in a state of denial or drug-induced misjudgment) come to the conclusion that there's no risk to the customers. Which is why the law also requires that "any determination shall be documented in writing and retained for five years."
In other words, you may have to justify your conclusions if the law comes knocking around.
OK, so you make the determination that you've got announce a data breach and contact those who were affected. How do you do it? According to 56:8-163, if the cost of providing notice is $250,000 or less, it must be a "written notice" or an electronic notice that is consistent with "section 101 of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. s.7001)." A substitute notice to the above can be made if: Notification cost exceeds $250,000; or, People to be notified exceeds 500,000; or, There isn't sufficient contact information to notify all directly Substitute notices must include Notification to major statewide media; and, E-mail notice; and, Posting on the company's website And that's just for getting in touch with people whose information was exposed. There are other requirements dealing with law enforcement, consumer reporting agencies, and other issues. I guess the gist of the law is, use encryption programs to secure any sensitive information at your company. Oh, and it goes withouth saying, get yourself a good lawyer...
OK, so you make the determination that you've got announce a data breach and contact those who were affected. How do you do it?
According to 56:8-163, if the cost of providing notice is $250,000 or less, it must be a "written notice" or an electronic notice that is consistent with "section 101 of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. s.7001)."
A substitute notice to the above can be made if:
Substitute notices must include
And that's just for getting in touch with people whose information was exposed. There are other requirements dealing with law enforcement, consumer reporting agencies, and other issues.
I guess the gist of the law is, use encryption programs to secure any sensitive information at your company. Oh, and it goes withouth saying, get yourself a good lawyer...
6,000 current and former employees at Sutter Health in Sacramento are being notified that they should keep an eye on their credit reports. The warning stems from a surprise laptop data breach which looks to be contained. Had a data security measure like laptop encryption software been used, the entire incident could have been avoided. Nevertheless, Sutter should be counting its blessings.
Sutter Health officials only learned of the data breach when a computer repair service called them last month regarding a laptop computer. While there aren't enough details in the media as of yet, it looks like the computer was brought in for repairs, and in that process, the technicians found a file with sensitive information--SSNs and names, at least--and contacted Sutter. Sutter officials did not realize that the laptop was out and about. According to an article at cbs13.com, it was believed that the laptop in question was still in possession of the employee who had been issued this computer back in 2007. It is not known who brought in the laptop for repairs, or what prompted the technicians to call up Sutter...which is pretty weird. I mean, if a Sutter employee brings in a Sutter computer for repairs, what's so unusual about that? So, the actions on the part of the technicians seems to imply that something was fishy about the entire affair.
Sutter Health officials only learned of the data breach when a computer repair service called them last month regarding a laptop computer. While there aren't enough details in the media as of yet, it looks like the computer was brought in for repairs, and in that process, the technicians found a file with sensitive information--SSNs and names, at least--and contacted Sutter.
Sutter officials did not realize that the laptop was out and about. According to an article at cbs13.com, it was believed that the laptop in question was still in possession of the employee who had been issued this computer back in 2007.
It is not known who brought in the laptop for repairs, or what prompted the technicians to call up Sutter...which is pretty weird. I mean, if a Sutter employee brings in a Sutter computer for repairs, what's so unusual about that? So, the actions on the part of the technicians seems to imply that something was fishy about the entire affair.
Sutter Health's computer technicians (not the repair guys) checked out the hard drive, and found that it was not accessed by anyone since 2007 (except for the guys who called in), according to cbs13.com. Wha-? The thing was issued back in 2007, it was unaccessed since 2007, and it only surfaced about a month ago? Plus, Sutter didn't realize the laptop was missing, so the employee who had been issued the computer either a) only used the computer for a very short time since it was issued and lost it quite recently or b) lost it over one year ago and never reported it (nor was he required to produce it as part of a regular inventory checkup). There is also the possibility that the employee is being the fall guy: he could have returned the laptop in question, but the company lost track of it and ended up somewhere--like eBay. Regardless, it makes management look quite unfit (at least, as far as data security is concerned). But, that doesn't mean that management is incompetent. Since the breach, Sutter is quite belatedly starting to use encryption software on all laptop computers. Employees are also being told not to save files locally, on hard drives, but on network drives that can be monitored and secured by the company. Furthermore, old computers will be kept track of when disposed, so that data breaches can't happen at the end of a computer's life.
Sutter Health's computer technicians (not the repair guys) checked out the hard drive, and found that it was not accessed by anyone since 2007 (except for the guys who called in), according to cbs13.com.
Wha-?
The thing was issued back in 2007, it was unaccessed since 2007, and it only surfaced about a month ago? Plus, Sutter didn't realize the laptop was missing, so the employee who had been issued the computer either a) only used the computer for a very short time since it was issued and lost it quite recently or b) lost it over one year ago and never reported it (nor was he required to produce it as part of a regular inventory checkup).
There is also the possibility that the employee is being the fall guy: he could have returned the laptop in question, but the company lost track of it and ended up somewhere--like eBay.
Regardless, it makes management look quite unfit (at least, as far as data security is concerned). But, that doesn't mean that management is incompetent. Since the breach, Sutter is quite belatedly starting to use encryption software on all laptop computers. Employees are also being told not to save files locally, on hard drives, but on network drives that can be monitored and secured by the company.
Furthermore, old computers will be kept track of when disposed, so that data breaches can't happen at the end of a computer's life.
The use of encryption is very important when it comes to digital data, since these can be easily copied, transferred, and made publicly available (a fact that anyone in the media industry can readily attest to). So, how does encryption protect said data? Basically, encryption software like AlertBoot will take your original data--composed of 1's and 0's--and scramble them up, in a logical fashion. Of course, it's a little more complicated than that, but that's the gist of the matter. And don't let the simplicity fool you: encrypted data using strong encryption is so powerful that the ability to hack it is measured in geologic terms (eons, really).
The use of encryption is very important when it comes to digital data, since these can be easily copied, transferred, and made publicly available (a fact that anyone in the media industry can readily attest to).
So, how does encryption protect said data? Basically, encryption software like AlertBoot will take your original data--composed of 1's and 0's--and scramble them up, in a logical fashion. Of course, it's a little more complicated than that, but that's the gist of the matter.
And don't let the simplicity fool you: encrypted data using strong encryption is so powerful that the ability to hack it is measured in geologic terms (eons, really).
Related Articles and Sites:http://cbs13.com/local/sutter.health.laptop.2.1066081.htmlhttp://www.news10.net/news/local/story.aspx?storyid=62294&catid=2
Journalists have found a computer hard drive that contained sensitive documents belonging to US defense contractor Northrop Grumman. They found this disk drive--of all places--in a market in Ghana. The disk didn't feature hard drive encryption software like AlertBoot, so the contents were readily accessible. The cost? $40.
It may be a fluke or it might be a worrisome sign; however, one thing's for sure: Northrop was pretty lucky that the drive was found by reporters working for Frontline, the investigative journalism show for PBS (and one of the reasons for supporting this TV channel--beats Fox News or CNN any day of the week, in my opinion). While the contents of those drives were not revealed, it was disclosed that the electronic documents were marked as "competitive sensitive." That sounds like contracts were and other competitive practices were involved, and thankfully, it implies that, if crap were to hit the fan, it would have been Northrop Grumman that would have been most affected. On the other hand, a well-written contract gives one enough details to know what's going on. It may not be as good as a weapon's blueprint, but it could give outsiders a good idea on what to expect in terms of future armament or shields, or what type of research and development is being carried out. Plus, other information was recorded as well, such as "how to recruit airport screeners" and "data security practices."
It may be a fluke or it might be a worrisome sign; however, one thing's for sure: Northrop was pretty lucky that the drive was found by reporters working for Frontline, the investigative journalism show for PBS (and one of the reasons for supporting this TV channel--beats Fox News or CNN any day of the week, in my opinion).
While the contents of those drives were not revealed, it was disclosed that the electronic documents were marked as "competitive sensitive." That sounds like contracts were and other competitive practices were involved, and thankfully, it implies that, if crap were to hit the fan, it would have been Northrop Grumman that would have been most affected.
On the other hand, a well-written contract gives one enough details to know what's going on. It may not be as good as a weapon's blueprint, but it could give outsiders a good idea on what to expect in terms of future armament or shields, or what type of research and development is being carried out.
Plus, other information was recorded as well, such as "how to recruit airport screeners" and "data security practices."
Northrop Grumman has announced that they don't know how the drive could have ended up in Ghana. The drive belonged to an employee in Fairfax, Virginia, and it's a long way from the suburbs of DC to the Dark Continent. I think the assumption is that an outside contractor that was supposed to dispose of the hard drive did not. Whether this was an accident, an egregious breach of duty, or theft...who knows? This is the funny thing, though: it's weird for a used hard drive to end up in Africa. For example, if I were an employee who had filched a hard drive from work, just to sell on eBay, you can bet I wouldn't be sending things to a continent that includes Nigeria (sorry, Nigeria, but your country's name is tied to scams for the time being, even if it's unwarranted). About the only way that I could imagine an American hard drive ending up in Africa? If it were one of a batch of used hard drives. The truth is, many developing countries are dumping grounds for electronic waste, which are reclaimed for the precious metals and other materials that are contained in them. A batch of hard drives implies...well, that perhaps Northrop should possibly be worried about other hard drives that were not uncovered by the journalists.
Northrop Grumman has announced that they don't know how the drive could have ended up in Ghana. The drive belonged to an employee in Fairfax, Virginia, and it's a long way from the suburbs of DC to the Dark Continent.
I think the assumption is that an outside contractor that was supposed to dispose of the hard drive did not. Whether this was an accident, an egregious breach of duty, or theft...who knows?
This is the funny thing, though: it's weird for a used hard drive to end up in Africa. For example, if I were an employee who had filched a hard drive from work, just to sell on eBay, you can bet I wouldn't be sending things to a continent that includes Nigeria (sorry, Nigeria, but your country's name is tied to scams for the time being, even if it's unwarranted).
About the only way that I could imagine an American hard drive ending up in Africa? If it were one of a batch of used hard drives. The truth is, many developing countries are dumping grounds for electronic waste, which are reclaimed for the precious metals and other materials that are contained in them.
A batch of hard drives implies...well, that perhaps Northrop should possibly be worried about other hard drives that were not uncovered by the journalists.
There's a problem with recommending that disk drives be protected with encryption software when they're about to be discarded into the maw of a crushing and grinding machine. It doesn't seem to make sense. What's the use? Who's going to glue together a mound of fine sand and metal together, and return it to its previous, uncrushed state? Is it even possible? On the other hand, it doesn't make sense only because one makes the assumption that the disk will, indeed, be destroyed. As the above case shows, there is no such guarantee. Had Northrop been paranoid enough, it would have encrypted their computers' disks while in use, and kept them encrypted when they were sent to be destroyed. And, if someone had stolen one of these disks to drive his business on the side, the contents of Northrop's drives would have remained safe. If that's not an option, at least Northrop should have contracted out the job to a business that will drive the crushing machine to Northrop's facilities. They'll crush the drives on-site, while an employee watches, and issue certificates with serial numbers and the works for auditing purposes.
There's a problem with recommending that disk drives be protected with encryption software when they're about to be discarded into the maw of a crushing and grinding machine. It doesn't seem to make sense. What's the use? Who's going to glue together a mound of fine sand and metal together, and return it to its previous, uncrushed state? Is it even possible?
On the other hand, it doesn't make sense only because one makes the assumption that the disk will, indeed, be destroyed. As the above case shows, there is no such guarantee. Had Northrop been paranoid enough, it would have encrypted their computers' disks while in use, and kept them encrypted when they were sent to be destroyed.
And, if someone had stolen one of these disks to drive his business on the side, the contents of Northrop's drives would have remained safe.
If that's not an option, at least Northrop should have contracted out the job to a business that will drive the crushing machine to Northrop's facilities. They'll crush the drives on-site, while an employee watches, and issue certificates with serial numbers and the works for auditing purposes.
Related Articles and Sites:http://itworld.com/security/69758/reporters-find-northrop-grumman-data-ghana-market
The theft of two laptops on June 4th has affected 250,000 patients at the University of Alberta Hospital. The information on the two machines includes names, birth dates, personal health numbers, and test results for STDs. The question is, was drive encryption software like AlertBoot used on these machines? Depending on who you quote, one gets different answers.
According to ctv.ca, the hospital has announced that the laptops are protected by "a security program that requires multiple passwords" and as such "the public should not be concerned, we believe there's a very low, low risk of any information on those devices being made accessible to anybody else." Of course, the problem is that passwords can be bypassed. When I say bypassed, I don't necessarily mean that data on a file can be accessed directly (to do so generally requires correctly guessing the password). I mean, there is software out there--hex editors, for example--that allows you to easily see the information in a file. Also, depending on the situation, it could reveal the password as well. So, while having password-protection in place is better than nothing, if the thief happens to know what he's doing (or, at least, has the wits to do a couple of searches in Google), it's barely better than nothing.
According to ctv.ca, the hospital has announced that the laptops are protected by "a security program that requires multiple passwords" and as such "the public should not be concerned, we believe there's a very low, low risk of any information on those devices being made accessible to anybody else."
Of course, the problem is that passwords can be bypassed. When I say bypassed, I don't necessarily mean that data on a file can be accessed directly (to do so generally requires correctly guessing the password).
I mean, there is software out there--hex editors, for example--that allows you to easily see the information in a file. Also, depending on the situation, it could reveal the password as well.
So, while having password-protection in place is better than nothing, if the thief happens to know what he's doing (or, at least, has the wits to do a couple of searches in Google), it's barely better than nothing.
The Information and Privacy Commissioner, Frank Work, has claimed that he is "shocked" about the information security used in this case. According to him, the standard for storing personal and other sensitive information--such as medical information--on portable devices is encryption. But, this is where the story takes a weird turn. According to the hospital spokesman, "the latest laptops to be stolen were encrypted but not with the most up-to-date software." I'm assuming he's referring to the two computers that were stolen, unless other laptops were stolen since then. So...since when is encryption not encryption? Well, when weak encryption is used. Because of advances in technology, what was considered safe today may not be considered as such tomorrow. For example, the standard right now is 128-bit AES encryption, or equivalent. This is what you use for on-line bank transactions, for example. As computers get faster, though, at some point the protection offered by this encryption will not be considered powerful enough, and people will have to switch up, to 256-bit encryption (which won't be for some time...maybe, a decade or so? It all depends). If you will, it's like finding that your castle walls are not effective anymore because the enemy has figured out how to build better, longer, and stronger ladders, so now you have to make your castle walls even higher--and now, the enemy has to figure out how to build even better, longer, stronger ladders.... So, is the information on those two laptops secure or not? It's hard to tell. Obviously, it's better protected than originally thought (weak encryption beats password-protection any day). But, it would be possible--with the right resources--to gain access to the contents on the laptops' hard disks. It would, however, take considerable time as well.
The Information and Privacy Commissioner, Frank Work, has claimed that he is "shocked" about the information security used in this case. According to him, the standard for storing personal and other sensitive information--such as medical information--on portable devices is encryption.
But, this is where the story takes a weird turn. According to the hospital spokesman, "the latest laptops to be stolen were encrypted but not with the most up-to-date software." I'm assuming he's referring to the two computers that were stolen, unless other laptops were stolen since then.
So...since when is encryption not encryption?
Well, when weak encryption is used. Because of advances in technology, what was considered safe today may not be considered as such tomorrow. For example, the standard right now is 128-bit AES encryption, or equivalent. This is what you use for on-line bank transactions, for example.
As computers get faster, though, at some point the protection offered by this encryption will not be considered powerful enough, and people will have to switch up, to 256-bit encryption (which won't be for some time...maybe, a decade or so? It all depends).
If you will, it's like finding that your castle walls are not effective anymore because the enemy has figured out how to build better, longer, and stronger ladders, so now you have to make your castle walls even higher--and now, the enemy has to figure out how to build even better, longer, stronger ladders....
So, is the information on those two laptops secure or not? It's hard to tell. Obviously, it's better protected than originally thought (weak encryption beats password-protection any day). But, it would be possible--with the right resources--to gain access to the contents on the laptops' hard disks. It would, however, take considerable time as well.
Related Articles and Sites:http://calgary.ctv.ca/servlet/an/local/CTVNews/20090624/edm-uofa_090624/20090624/?hub=CalgaryHome