TD Canada Trust is letting customers know that they should be on the lookout for suspicious activity regarding their accounts. Based on what type of information may have been breached, the “accounts” in this case refer to any held with TD as well as other financial institutions. Although not specifically stated, it sounds like data protection tools like AlertBoot full disk encryption were not used. Such software would have gone a long way in protecting customers’ information—beyond what is afforded by credit monitoring services (which is being offered to those affected).
The customer data that could be used for nefarious purposes include “names, addresses, birthdates, social insurance numbers, account numbers, bill payment details, transactions and balances,” according to an article at the Vancouver Sun. This information was residing within the computer equipment that got stolen during a break‑in on June 22. The alarm was triggered, but the thieves made off with the goods anyway. The bank representative declined to specify what type of computer equipment got stolen. I can’t also help but notice that the word “equipment” is both plural and singular—it could have been one external hard drive, a bunch of laptops, a stack of tapes, a USB flash drive, or some combination thereof: there’s just no way to know from what’s reported. Not that this matters in the long run. Information that is not secured via the use of data encryption is infinitely easier to access than encrypted data (and I do mean “infinite” in the literal sense).
I’ve already blogged yesterday how Anheuser‑Busch also was facing something similar in nature, where thieves broke into the brewer’s offices and stole computer equipment (laptops, in their case). When it comes to security, people seem to take solace in the existence of walls and locks on doors.
I mean, those things make the world a little safer for all of us. But that’s only because people respect the implication of “don’t come in.” The protection given to us by doors and locks…it’s more mental than it’s physical, if you really think about it. How many times have you seen people throw down the doors on TV? Did you think to yourself, “pshaw! That’s pure Hollywood!” Of course not. The only thing that really protects you in that case is about an inch of steel, that doorknob‑operated metal thing that inserts itself between the door and the door frame. The size and heft of the door doesn’t matter, generally speaking, impressive as it might be at first glance.
Perhaps the reason why encryption is not so popular is that people make a mental disconnect between what they see and what is real security. Laptop encryption, for example, doesn’t look like anything. It also doesn’t feel like anything, thanks to the advance in CPU speeds. In fact, modern computer encryption is designed to be transparent to the user—they won’t notice that it’s there. Out of sight, out of mind. A good thing, if we’re talking about employee productivity—nobody wants to be bogged down by a slow computer. A bad thing, if people are unaware of what’s actually protecting their data (if there is protection at all).
Laptop computers containing sensitive information on current and former Anheuser‑Busch employees have been stolen from the beer maker’s premises. The beer company has certainly been making a splash in the news: first, they get bought out by InBev, a Belgian conglomerate, releasing a tsunami of waffle‑related jokes; now, this.
It is not known how many are affected since the company has not revealed such information. UPI.com, however, states that the lost data contains Social Security numbers, addresses, marital status, and whether an employee had used a “mental health counseling service.” Anheuser‑Busch is offering affected employees a year of free credit reporting. Signs seem to point towards the potential of a data breach, i.e., that perhaps laptop encryption solutions like AlertBoot was not used.
There are some conflicting reports, however. Some covering the situation write that Tim Farrell, the company’s vice president for corporate human resources, revealed in a statement that one of the laptops had used encryption to secure information about employees and family members. Others claim one laptop was stolen, and that it was encrypted. Others don’t mention encryption at all. In a rush to publish anything, people are doing exactly that: publishing anything.
There are salient points in the haze of confusion, though. The first is that these devices were not lost at the airport or left in the backseat of a car. Nope, they were stolen from their offices. Now, a brewer doesn’t require the security levels found at, say, a nuclear weapons design plant. However, Anheuser‑Busch being a Fortune 500 company, I don’t think I’d be off‑base imagining they at least had security guards in the lobby and doing the rounds at night.
And yet stuff got stolen. The fact that these computers were laptop computers is irrelevant. If laptops weren’t available, who’s to say that desktops wouldn’t have been stolen in their stead? In fact, I’ve felt for a while that the only way to ensure laptop computers don’t get stolen from an office is to have something even more valuable lying around the office as bait, like an impressively intricate diamond necklace. Of course, it’s also a ridiculous way of preventing something from getting stolen. However, the concept of having bait lying around is certainly used to prevent random burglaries of the really expensive stuff: for example, placing a jewel-encrusted golden statuette to distract the thief from the multi-million dollar Matisse hanging from the wall.
The other salient point is the credit monitoring. Now, the fact that it’s being offered indicates to me that there is a chance of a data breach occurring (although, the absolute chance of an actual breach would be quite low. As most security professionals point out, machines generally get wiped and re‑sold). If all of the employees data had been encrypted, then such an offering wouldn’t be necessary.
That’s why I encourage full disk encryption over file encryption. Files dropped into a computer where the entire hard disk is encrypted are protected automatically. If the computer gets stolen, the contents of that computer are considered safe, even by the most cynical security consultants. File encryption—also known as content encryption—also feature nearly iron‑clad data security; however, individual files have to tagged for protection. It’s not as hassle‑free as full disk encryption, and it does require human intervention—usually the weakest link in the security chain.
Update (Aug 5, 2008): Anheuser-Busch released some more information over the weekend.
The FBI is investigating the theft of medical records belonging to Grady Memorial Hospital. At first, in a sure sign that the heat is getting to me, I thought that a data security solution like AlertBoot couldn’t have helped. But once you start getting into the story, it’s quite obvious that file encryption would have helped secure the information. Due to the nature of the files, however, I would have recommended disk encryption if it were a viable option.
The gist of the story is that Grady Memorial Hospital lost a bunch of voice recordings that were meant to be converted into medical notes. What tripped me up was the fact that these files are voice recordings. As stated in the article by The Atlanta Journal— Constitution, “the records pertained to recorded physician comments.” Generally, we’re talking about a microcassette recorder if it involves voice, records, and physicians. I thought a stack of tapes had gone missing. How do you encrypt a tape that works in a machine independently from a computer?
However, if I hadn’t been feeling so indolent and sluggish, the part where it says that the “missing records were kept on computer files” would have jumped at me. At least, I’m keeping good company when it comes to being clueless: Grady has no idea how many patients are affected, how the records were stolen, or which patients need alerting. It should be noted that the actual theft involved a subcontractor to the vendor that Grady had hired for the job.
So, this is what I’m guessing happened. A bunch of tapes (or whatever method doctors use nowadays to record their observations) get shipped out to the vendor. The records are then converted into digital files, if they weren’t in that format already, which in turn are sent out to the subcontractors. The subcontractors lose the device on which the voice recordings are stored; news travels up the chain of command. Grady jumps into action. Grady has no idea how many people are affected because—wait for it—they don’t have a written transcript. If they had 100 tapes, each of them 1 hour long, they’d have to listen all 100 recordings to figure who was affected, and how. At the same time, they can’t let any Moe, Dick, and Joe listen to these recordings because they’d be toeing the line in terms of doctor‑patient confidentiality and possibly HIPAA regulations. So, they’re stuck with 100 hours’ worth of listening to be done. And the only people who can listen to these tapes have real jobs to do. (Ironically enough, people listening to the recordings and transcribing them—most likely not doctors—are unhindered by regulations because they’re not working at a medical practice…the insanity).
At least, to me, this is the likely explanation on why Grady’s press release is so thin on details. They probably had to follow the law in terms of announcing the data breach ASAP, and yet they themselves are currently ignorant on how severe a breach they have on their hands due to the nature of the breach and the associated difficulties. End result: a data breach alert devoid of any real substance. It’s about as good as not alerting the general populace.
Which is what they would have done if Grady or the vendors had adequate data protection in place. With so little to go on, it’s debatable the following would have worked for the hospital, but any type of digital data can be usually protected using file encryption, so this could have been an option for Grady. The only reason I’m slightly apprehensive in recommending file encryption is that all 100 voice files that I’ve used as an example above would have to be encrypted, which will take time. An hour’s worth of voice is going to result in a big file no matter what, and the bigger the file, the longer it takes to encrypt.
If transporting such files to the vendor, or from the vendor to the subcontractor, is a recurring job, a better method may be to encrypt a portable hard drive using full disk encryption. Then, any files copied to that particular device will be encrypted automatically. Plus, there are no delays in encrypting the data since these are encrypted the moment they’re copied over to the encrypted disk.
The similarity lies in the fact that most people think of implementing fixes after disaster strikes. I bring this up because the Hillsborough Community College has warned 2000 employees that they should monitor their bank accounts, a laptop having been stolen this past Sunday. Did the stolen computer have laptop encryption? Nope. Were they not aware that encryption solutions exist? Perhaps. But if you take into account that the person who lost the laptop was a programmer, it makes you wonder. Granted, you don’t have to know much about computers to be a programmer. After all, one doesn’t have to be a car mechanic to be able to drive a car…
Regardless, the loss of the laptop is not a total disaster. While the loss of the computer does present a security breach—employee names, bank‑routing numbers, and Social Security numbers were some of the sensitive data in the laptop—the programmer had deleted the data prior to the theft. Now, I’d like to credit the programmer with practicing good data security, but it could just have been luck. For example, I will sometimes empty the trash bin on my computer when I don’t want to deal with work: I pretty much work in a paperless office, so I’ve got to get that satisfying paper crumpling‑up sound vicariously. If I happen to delete sensitive files…well, let’s just say data security was not what was on my mind at the time.
Knowing that the data has been deleted, why is Hillsborough alerting their employees to keep an eye out on their bank account statements? Well, the fear is that the thief will be able to recover the data. And, unfortunately, you don’t have to know anything about computers to recover data. Data recovery software is cheap and easy to use.
The question is, how likely is it for someone to go that extra mile to install the software in order to get to the data? The laptop was lost during a random burglary, stolen from the programmer’s car, along with a GPS unit and a cellphone. Under the circumstances it sounds like the thief may go for a quick flip of the illegally‑gained goods. The actual answer, however, depends on whether the thief is sophisticated enough. If he’s looking to maximize his profits, he’d be served well to spend some time scanning the visible (and not so visible) contents on that computer.
Of course, if the laptop computer had hard drive encryption installed on it, the theft wouldn’t be an issue at all. The use of encryption would have ensured the safety of the data, be it deleted or otherwise.
Apparently, Hillsborough agrees. They’re looking into encrypting computers and disks, in a clear case of fixing the barn doors after the horses have fled. Better late than never.
While the details are sparse, due to the number of people affected, I get the feeling that Sealaska Corporation may have lost a computer or some other digital device that could have benefited from the use of encryption software like AlertBoot. Why am I postulating this? And if my hypothesis is correct, could data protection solutions like disk encryption or file encryption done anything for the community‑oriented company?
First, my reason for assuming a computer was stolen. The company has announced that there was a data breach of some sort. Like I said before, they’re being sparse with the details, so there’s no way to know whether it was a computer or a pile of documents. However, the company’s offering to sign up all shareholders—over 19,000 of them—to LifeLock, a credit protection service, so it seems to me that that pretty much seals the deal.
Now, it’s not impossible to have 19,000 peoples’ sensitive data printed out. In fact, if you print one name per line with 50 entries per page, you’re looking to about 400 pages or so, depending on what type of margin you use. The size and weight is nearly what you would expect from a laptop. So, in terms of form factor, either one is pretty easy to swipe.
There are more clues, though. According to an article at newsminer.com, Sealaska has stated that they “don’t believe the data was the target of the crime.” Now, the only reason why a pile of documents would disappear would be because of the data printed on them; so, it means that the data that was stolen must have had something else of value associated with it. A computer would seem to fit the bill...or maybe a really expensive briefcase housing the documents.
But! Sealaska has also announced, “[we] believe that unauthorized access to your name, address and Social Security number by the thieves is unlikely.” Can’t be a briefcase, since I don’t know of any briefcases that offer real protection. All signs on my security eight‑ball point to “stolen computer.”
Which brings us to the second point. Would encryption software help in this situation? Of course. Be it full disk encryption (where the entire contents of a hard drive are subjected to encryption) or file encryption (where individual files and their contents are encrypted), data encryption would have given Sealaska’s management the ability to state that they “believe that unauthorized access to your name, address and Social Security number by the thieves is so unlikely ” In fact, there’s a good chance that Sealaska wouldn’t have had to make the announcement at all (but don’t quote me on this. I’m not a lawyer).
I don’t know what type of discount Sealaska must have gotten from LifeLock, if any, but I imagine encryption would have resulted in better cost-savings, too.
A one‑year subscription for LifeLock is $120, or $10 a month. That’s similar to what a solution provider like AlertBoot encryption solutions charges for its services. However, chances are a company like Sealaska doesn’t have 19,000 computers to encrypt, so the overall cost is going to be much (much) lower if it goes with data encryption. Plus, you don’t have to deal with a public relations fallout. For most companies, that’s priceless. If people could stick that into their financial forecast spreadsheets…perhaps then we’d have more people looking into data security.
When it’s time to protect the content in a computer, file encryption is a great way of approaching the issue. While I tend to recommend full disk encryption, there are times when this is no good. For example, back‑up tapes don’t mesh with disk encryption. This means that individual files going on that tape must be encrypted, one-by-one.
And, yes, encrypting individual files is time consuming; however, it’s certainly better than not encrypting the information. Take into consideration the village of Tinley Park. It’s a small municipality near Chicago, and recently found that they’re missing a backup tape. The information on that tape goes back ten to 15 years, and if the incident develops into an actual data breach, it could affect approximately 19,000 residents. This is in addition to vendors and employees of the municipality.
What type of information was on the tape? Social Security numbers, driver’s license numbers, and bank account numbers. Anyone who has submitted information to the village after May 30 is not affected by the lost tape, however. I suppose, their information was scheduled to be backed up much later…
Village officials have pointed out that it’s the first time backup tapes have been compromised. Meh. I’m not sure that has any bearing on the matter. In security circles, it’s a certainty that any company will have a “first time” when it comes to data breaches. Even security companies, which will provide fodder for newspapers for stories full of irony. The truth is that there are too many ways for things to get stolen or lost. Think about it: muggings; burglaries—at your office, car, home, restaurant, etc.; con artists; pickpockets (they pick more than pockets); and hundreds of assorted other ways.
How is one going to protect against all of that? It’s not possible. That’s why encryption is such a great deal. Encryption doesn’t prevent your computers, hard drives, tapes from disappearing. What it does is ensure the privacy of the data on those devices. You don’t have to worry about muggings, burglaries, and con artists (well, you do. Be aware of your surroundings, be safe, all that jazz), since the use of encryption prevents them from accessing the protected data.
Apparently, the village agrees. Village manager Scott Niehaus said that backup tapes will be encrypted going forward. Furthermore, it sounds like they’ll be restricting who has access to the tapes, further ensuring that a similar scenario doesn’t play out in the future.