Two computers were stolen from AvMed Health Plans, compromising the information for nearly 210,000 subscribers and dependents. It sounds like disk encryption was used to protect the laptops; however, there is a fear that "one of the laptops may not have been encrypted properly."
The information security breach affects 80,000 current subscribers and dependents, as well as 128,000 former subscribers and their dependents. The information dates back to April 2003. The theft of laptops occurred on December 10 of last year from a locked conference room. The rooms remained secured throughout the night until being discovered missing the next day. The implication seems to be that someone with keys to the locked room was involved, such as janitors or night security staff. It was not revealed how AvMed arrived to the conclusion that encryption software, meant to protect the information, was not installed properly. It could mean that it was only done partially, such as encrypting a partition in the computer's drive instead of using full disk encryption to protect the entire thing. Or, perhaps, the company used file encryption to protect individual files, and only realized after an investigation that important files were not protected. Or, the company could be referring to their overall encryption program: it could be that the one computer was found not to be encrypted at all, when it should have been.
The information security breach affects 80,000 current subscribers and dependents, as well as 128,000 former subscribers and their dependents. The information dates back to April 2003.
The theft of laptops occurred on December 10 of last year from a locked conference room. The rooms remained secured throughout the night until being discovered missing the next day. The implication seems to be that someone with keys to the locked room was involved, such as janitors or night security staff.
It was not revealed how AvMed arrived to the conclusion that encryption software, meant to protect the information, was not installed properly.
It could mean that it was only done partially, such as encrypting a partition in the computer's drive instead of using full disk encryption to protect the entire thing. Or, perhaps, the company used file encryption to protect individual files, and only realized after an investigation that important files were not protected. Or, the company could be referring to their overall encryption program: it could be that the one computer was found not to be encrypted at all, when it should have been.
Let's face it: figuring out what was encrypted and what wasn't is hard, and becomes harder the more equipment you've got to protect. Imagine an organization that has 1,000 employees. Chances are, there are also 1,000 computers. And while not all of them store sensitive information, management has decided to encrypt all computers because it's impossible to figure out which computers will end up with sensitive information. Now, I'm not going to argue that that is a terrible approach to security. It's quite apparent, just by taking a peek at data breach news, that people really have no idea where sensitive data ends up, so it's definitely a valid approach. However, it does create a logistical problem: how can administrators tell whether all computers have been properly protected? Just like security tends to be an afterthought to software programs, such administrative needs seem to be afterthoughts when it comes to security software as well. Not so with centrally-managed AlertBoot encryption software, which was developed with the above in mind. The audit reporting is integrated with the encryption software, allowing one to easily see login attempts, user actions, and the encryption status of computers.
Let's face it: figuring out what was encrypted and what wasn't is hard, and becomes harder the more equipment you've got to protect.
Imagine an organization that has 1,000 employees. Chances are, there are also 1,000 computers. And while not all of them store sensitive information, management has decided to encrypt all computers because it's impossible to figure out which computers will end up with sensitive information.
Now, I'm not going to argue that that is a terrible approach to security. It's quite apparent, just by taking a peek at data breach news, that people really have no idea where sensitive data ends up, so it's definitely a valid approach.
However, it does create a logistical problem: how can administrators tell whether all computers have been properly protected? Just like security tends to be an afterthought to software programs, such administrative needs seem to be afterthoughts when it comes to security software as well.
Not so with centrally-managed AlertBoot encryption software, which was developed with the above in mind. The audit reporting is integrated with the encryption software, allowing one to easily see login attempts, user actions, and the encryption status of computers.
Related Articles and Sites:http://www.gainesville.com/article/20100208/ARTICLES/100209476/1002http://www.ocala.com/article/20100208/ARTICLES/100209743?Title=AvMed-Data-of-208-000-at-risk-after-theft
St. Albans Council has found that data protection does not end at using data encryption software. If you'll recall, St. Albans experienced a breach nearly one year ago, when four laptops were stolen, affecting 14,500. Since then, the council has made a number of changes to better protect sensitive information, including the physical lockdown of computers and the use of encryption software to protect data. A security consulting firm brought in to check on the changes. The firm has found that while data is better protected from before, the council could make some changes to even better guarantee information security.
St. Albans Council has found that data protection does not end at using data encryption software.
If you'll recall, St. Albans experienced a breach nearly one year ago, when four laptops were stolen, affecting 14,500. Since then, the council has made a number of changes to better protect sensitive information, including the physical lockdown of computers and the use of encryption software to protect data.
A security consulting firm brought in to check on the changes. The firm has found that while data is better protected from before, the council could make some changes to even better guarantee information security.
One of the suggested changes was to better educate staff not to share passwords. Other recommendations included "audit files for all log-ins and access to databases." Clearly, the latter recommendation hinges upon the security of passwords. Think about it: if everyone uses the same password to log in to a computer, then the auditing of files and logs is worthless--they'd all point to one person.
One of the suggested changes was to better educate staff not to share passwords. Other recommendations included "audit files for all log-ins and access to databases."
Clearly, the latter recommendation hinges upon the security of passwords. Think about it: if everyone uses the same password to log in to a computer, then the auditing of files and logs is worthless--they'd all point to one person.
The thing about data security is that you really can't let your guard down since it's never known in advance when a threat will strike. Unfortunately, it's nearly impossible to keep your guard up all the time. Heck, even the military has various stages of "alerts," and never do they stay at high alert all the time. When it comes to data security, then, the trick is to use different methods that will complement one another. For example, if passwords are being shared, then a policy of periodically changing passwords is definitely necessary. (As opposed to policy of changing passwords every six months and requiring the user to create a 24-character-long, mixed-character password; in my opinion, that latter one usually doesn't require periodic password changes at all, regardless of what best security practices happen to be).
The thing about data security is that you really can't let your guard down since it's never known in advance when a threat will strike. Unfortunately, it's nearly impossible to keep your guard up all the time. Heck, even the military has various stages of "alerts," and never do they stay at high alert all the time.
When it comes to data security, then, the trick is to use different methods that will complement one another. For example, if passwords are being shared, then a policy of periodically changing passwords is definitely necessary. (As opposed to policy of changing passwords every six months and requiring the user to create a 24-character-long, mixed-character password; in my opinion, that latter one usually doesn't require periodic password changes at all, regardless of what best security practices happen to be).
Related Articles and Sites:http://www.hertsad.co.uk/content/herts/news/story.aspx?brand=HADOnline&category=News&tBrand=HertsCambsOnline&tCategory=newslatestHAD&itemid=WEED04%20Feb%202010%2012%3A16%3A38%3A390http://www.documentmanagementnews.com/the-news/general-news/52-data-security/369-st-albans-council-still-failing-on-data-security-despite-the-theft-of-four-elector-data-laptops-says-socitm.html
5,400 medical files were saved on computer drives stolen during a break-in in the UK. However, there are no needs to fear a data breach, since it looks like encryption software like hard disk encryption from AlertBoot was used to secure the contents.
Thieves broke into a doctors' surgical practice over Christmas and stole various items. Included were two computer hard drives and several DVDs that were used as backups. Thankfully, the doctors had the sense to protect the information with encryption. (Due to the nature of the media, I assume full disk encryption was used for the drives, and that file encryption was used for the DVDs.) It turns out that misfortune is a frequent visitor to this venue. According to the BBC, in November 2009, a fire at the surgery damaged thousands of files. Another fire broke out one week later. Hm. Perhaps that's what prompted them to secure their digital files in the first place? It's commonly known that those who've experienced ill-luck are the ones usually best prepared for the vicissitudes of life.... It also explains why people move to secure files once they've had a data breach, while those who've never had one (or don't realize they've already had one) talk the talk, but don't walk the walk of data security.
Thieves broke into a doctors' surgical practice over Christmas and stole various items. Included were two computer hard drives and several DVDs that were used as backups. Thankfully, the doctors had the sense to protect the information with encryption.
(Due to the nature of the media, I assume full disk encryption was used for the drives, and that file encryption was used for the DVDs.)
It turns out that misfortune is a frequent visitor to this venue. According to the BBC, in November 2009, a fire at the surgery damaged thousands of files. Another fire broke out one week later.
Hm. Perhaps that's what prompted them to secure their digital files in the first place? It's commonly known that those who've experienced ill-luck are the ones usually best prepared for the vicissitudes of life.... It also explains why people move to secure files once they've had a data breach, while those who've never had one (or don't realize they've already had one) talk the talk, but don't walk the walk of data security.
I had originally come across this article while perusing the databreaches.net site. The administrator of that site notes that "some might not consider this a breach because of the encryption." I'm part of that "some." While my opinion may differ from others (clearly certain laws do not--they provide safe harbor from notifying customers of data breach if encryption was used to protect personal or sensitive data), it seems to me that encrypted data cannot lead to a breach. Think of it in the following way: What exactly is a data breach? It's the access of any information by unauthorized people. That means that, if unauthorized people cannot access the data, there is no breach. That's why, if documents are locked in a closet and a thief is not able to access the closet, there is no data breach. If the thief is able to gain access to the closet, it's a breach. If he steals the files, it's a worrisome breach. It's the same if instead of a locked closet, we use a phalanx of security guards or a really stinky skunk: the key question is "was the data accessed?" Likewise with encryption: was the data accessed? So, yeah, I tend to think that the loss of encrypted data--secured by data security tools like AlertBoot--is not a data breach. With one caveat, though: the keys to accessing the encrypted data was not stolen as well.
I had originally come across this article while perusing the databreaches.net site. The administrator of that site notes that "some might not consider this a breach because of the encryption."
I'm part of that "some." While my opinion may differ from others (clearly certain laws do not--they provide safe harbor from notifying customers of data breach if encryption was used to protect personal or sensitive data), it seems to me that encrypted data cannot lead to a breach. Think of it in the following way: What exactly is a data breach?
It's the access of any information by unauthorized people. That means that, if unauthorized people cannot access the data, there is no breach. That's why, if documents are locked in a closet and a thief is not able to access the closet, there is no data breach. If the thief is able to gain access to the closet, it's a breach. If he steals the files, it's a worrisome breach.
It's the same if instead of a locked closet, we use a phalanx of security guards or a really stinky skunk: the key question is "was the data accessed?" Likewise with encryption: was the data accessed?
So, yeah, I tend to think that the loss of encrypted data--secured by data security tools like AlertBoot--is not a data breach. With one caveat, though: the keys to accessing the encrypted data was not stolen as well.
Related Articles and Sites:http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/8498102.stmhttp://www.databreaches.net/?p=9817
A memory disk that was not secured with disk encryption software has been lost, affecting 200 disabled people living in the borough of Wigan. The Wigan Council has alerted the affected, and has declared a ban on using USB flashdrives.
This is the second breach in less than one year. Around April of last year, Wigan Council had announced the theft of a laptop computer that contained the information on 33,000 students. I had noted at the time that it didn't seem like a big deal, but with reservations. More appalling is the fact that the council had to sign an Undertaking with the UK Information Commissioner, promising to protect personal data, only three months ago, as a result of that first breach. The Information Commissioner gained the rights to fine agencies not too long ago. We'll have to see what the ICO decides to do with this current situation.
This is the second breach in less than one year. Around April of last year, Wigan Council had announced the theft of a laptop computer that contained the information on 33,000 students. I had noted at the time that it didn't seem like a big deal, but with reservations.
More appalling is the fact that the council had to sign an Undertaking with the UK Information Commissioner, promising to protect personal data, only three months ago, as a result of that first breach. The Information Commissioner gained the rights to fine agencies not too long ago. We'll have to see what the ICO decides to do with this current situation.
While not confirmed yet, it is believed that the pen drive was lost on the train (it's been confirmed only that it dropped out of an employee's pockets). According to reports, one employee has been suspended, and another disciplined. The information on the lost USB thumbdrive includes names, addresses, national insurance numbers, ethnicity, and types of disability. Financial information was not included.
While not confirmed yet, it is believed that the pen drive was lost on the train (it's been confirmed only that it dropped out of an employee's pockets). According to reports, one employee has been suspended, and another disciplined.
The information on the lost USB thumbdrive includes names, addresses, national insurance numbers, ethnicity, and types of disability. Financial information was not included.
The Wigan Council has announced that "it will extend its encryption programme and it has now banned the use of all memory sticks." I don't know whether to applaud these people or...do something else. Extend their encryption [http://www.alertboot.com/disk_encryption/central_encryption_software_management.aspx ; managed data encryption ] program? To what? How? I would imagine that, after their first breach, the need for encryption throughout was quite obvious. Did the council only now realize that--gasp!--small electronic devices designed to store information can get lost or stolen as well, in addition to laptop computers? If it's determined that encryption software is required, it generally is required for any and all devices that may store sensitive data. There shouldn't be a need to "extend" anything, although there may be a need for constant "maintenance"--getting encryption set up on any new purchases, for example.
The Wigan Council has announced that "it will extend its encryption programme and it has now banned the use of all memory sticks."
I don't know whether to applaud these people or...do something else. Extend their encryption [http://www.alertboot.com/disk_encryption/central_encryption_software_management.aspx ; managed data encryption ] program? To what? How? I would imagine that, after their first breach, the need for encryption throughout was quite obvious. Did the council only now realize that--gasp!--small electronic devices designed to store information can get lost or stolen as well, in addition to laptop computers?
If it's determined that encryption software is required, it generally is required for any and all devices that may store sensitive data. There shouldn't be a need to "extend" anything, although there may be a need for constant "maintenance"--getting encryption set up on any new purchases, for example.
Related Articles and Sites:http://news.bbc.co.uk/2/hi/uk_news/england/manchester/8496225.stmhttp://www.techeye.net/security/wigan-council-loses-200-disabled-peoples-personal-detailshttp://www.publictechnology.net/modules.php?op=modload&name=News&file=article&sid=22510&mode=thread&order=0&thold=0
PF Chang's China Bistro has notified the NH Attorney General's office that stolen equipment may lead to a breach of employee information. Data encryption software like AlertBoot endpoint security was not used, it appears, although password protection was in place. Databreaches.net reveals that PF Chang set up http://www.notifyinformation.com/Faq.aspx in order to provide information regarding the data breach. Oddly enough, it's only in English, although the material filed with the NH Ag shows breach notification letters in English and Spanish.
PF Chang's China Bistro has notified the NH Attorney General's office that stolen equipment may lead to a breach of employee information. Data encryption software like AlertBoot endpoint security was not used, it appears, although password protection was in place.
Databreaches.net reveals that PF Chang set up http://www.notifyinformation.com/Faq.aspx in order to provide information regarding the data breach. Oddly enough, it's only in English, although the material filed with the NH Ag shows breach notification letters in English and Spanish.
PF Chang hasn't revealed what type of device was stolen (was it a laptop? External disk drive? USB memory stick?). What has been revealed at this point is that it was electronic equipment of value that could store employee information; more specifically, names, dates of birth, and SSNs of 73 residents of New Hampshire (although I suspect it may affect even more employees. PF Chang's China Bistro has a nation-wide presence with 350 outlets under the PF Chang and Pei Wei restaurant names). It was also not revealed where the theft took place, although it was noted that the company discovered the theft "within an hour of the incident." The password to the password-protection was not revealed to the thieves. I'd say that signs point to the stolen electronic device being a computer: to begin with, it has to be something that's used frequently (theft of devices like backup drives are not usually found within an hour of their theft, for example). And, it used password-protection. Not that password-protection is unavailable on, say, portable hard disk drives. However, it's more common on computers than other devices. Plus, I figure that a company that's willing to go around installing password-protection on external drives is probably security-oriented, and would have soon realized that password-protection always takes a backseat to data protection using encryption software.
PF Chang hasn't revealed what type of device was stolen (was it a laptop? External disk drive? USB memory stick?). What has been revealed at this point is that it was electronic equipment of value that could store employee information; more specifically, names, dates of birth, and SSNs of 73 residents of New Hampshire (although I suspect it may affect even more employees. PF Chang's China Bistro has a nation-wide presence with 350 outlets under the PF Chang and Pei Wei restaurant names).
It was also not revealed where the theft took place, although it was noted that the company discovered the theft "within an hour of the incident." The password to the password-protection was not revealed to the thieves.
I'd say that signs point to the stolen electronic device being a computer: to begin with, it has to be something that's used frequently (theft of devices like backup drives are not usually found within an hour of their theft, for example).
And, it used password-protection. Not that password-protection is unavailable on, say, portable hard disk drives. However, it's more common on computers than other devices.
Plus, I figure that a company that's willing to go around installing password-protection on external drives is probably security-oriented, and would have soon realized that password-protection always takes a backseat to data protection using encryption software.
While the initial objective of the theft was probably stealing the device, it does not preclude the thief from attempting to gain access to it. And while the presence of password-protection does provide some comfort, it's far from guaranteed that the information will not be accessed. On the other than, the use of encryption comes much, much closer to that guarantee than not.
While the initial objective of the theft was probably stealing the device, it does not preclude the thief from attempting to gain access to it. And while the presence of password-protection does provide some comfort, it's far from guaranteed that the information will not be accessed.
On the other than, the use of encryption comes much, much closer to that guarantee than not.
Related Articles and Sites:http://doj.nh.gov/consumer/pdf/pf_chang.pdfhttp://www.databreaches.net/?p=9749http://www.slate.com/id/2218402/
1,400 students, alumni, employees, and prospective students are affected by the theft of three laptops computers from Columbia University offices, according to The Bwog. It looks like disk encryption was not used to secure the contents of the stolen laptops, a move that would have ensured the safety of the data.
Although details have yet to be released, Columbia has confirmed that SSNs were included in the stolen laptops. It was also confirmed that password-protection was used (a safety precaution that is unworthy of its name, once you get to know the details on how it can be bypassed. It's as easy as googling it). The university will be offering two years of credit monitoring.
Although details have yet to be released, Columbia has confirmed that SSNs were included in the stolen laptops. It was also confirmed that password-protection was used (a safety precaution that is unworthy of its name, once you get to know the details on how it can be bypassed. It's as easy as googling it).
The university will be offering two years of credit monitoring.
This is not the first time that Columbia had an information security issue. In 2008, the university discovered a breach of a different kind, when SSNs for 5,000 students were inadvertently posted on-line. The current dean of Columbia has announced that the university will be doing: "more encryption of sensitive information, establishing new security safeguards in administrative offices, and intensifying its scanning of computer equipment for security threats." It's kind of disappointing to hear the above, since this is the second major data breach in as many years. I would argue that the use of encryption software on any computers used for administrative purposes should have been implemented soon after the 2008 breach. Well, at least it should have been for devices that were used for processing sensitive data, such as SSNs. Did the university not carry a data risk assessment after the 2008 incident? (The current dean can hardly be blamed if not: she took over the position just last year.) According to surveys, the loss and theft of laptops, desktops, external hard drives, and other data storage devices account for over 30% of data breaches.
This is not the first time that Columbia had an information security issue. In 2008, the university discovered a breach of a different kind, when SSNs for 5,000 students were inadvertently posted on-line.
The current dean of Columbia has announced that the university will be doing:
"more encryption of sensitive information, establishing new security safeguards in administrative offices, and intensifying its scanning of computer equipment for security threats."
It's kind of disappointing to hear the above, since this is the second major data breach in as many years. I would argue that the use of encryption software on any computers used for administrative purposes should have been implemented soon after the 2008 breach.
Well, at least it should have been for devices that were used for processing sensitive data, such as SSNs. Did the university not carry a data risk assessment after the 2008 incident? (The current dean can hardly be blamed if not: she took over the position just last year.)
According to surveys, the loss and theft of laptops, desktops, external hard drives, and other data storage devices account for over 30% of data breaches.
There are organizations out there that are loath to implement full disk encryption like AlertBoot on their company computers. One of the reasons, among many, is that it interrupts the workflow. In the above case, though, it would be untrue. Using encryption is about as difficult as using password-protection: from a user's point of view, all one has to do is type in a password. On the back end, though, encryption ensures that data is truly protected, while password-protection just gives the impression of data protection.
There are organizations out there that are loath to implement full disk encryption like AlertBoot on their company computers. One of the reasons, among many, is that it interrupts the workflow.
In the above case, though, it would be untrue. Using encryption is about as difficult as using password-protection: from a user's point of view, all one has to do is type in a password. On the back end, though, encryption ensures that data is truly protected, while password-protection just gives the impression of data protection.
Related Articles and Sites:http://bwog.net/2010/01/29/breaking-police-investigating-laptop-theft-security-breach-of-1400-columbia-affiliateshttp://www.nypost.com/p/news/local/manhattan/id_info_stolen_at_columbia_zZfD7lvBLtvT51LzPz4VuNhttp://www.upi.com/Top_News/US/2010/02/01/Stolen-laptops-had-Social-Security-info/UPI-20421265049767/