Personal details of 50,000 current and ex RAF personnel was lost on September 17. From a high-security area. The sensitive information was stored on three external hard drives that were not protected with hard drive encryption software like AlertBoot. This case is something of a calamity, since it’s more than a lost or stolen disk. Unlike the incidents over the past year, this isn’t a case where an officer used poor judgment and took sensitive information to McDonald’s, to a pub, or to a club. Someone managed to steal it from what I’m led to believe is a secure space.
Food for thought, no? While blogging about security breaches over the past year, I’ve come across way too many instances where web surfers would decry the fact that stolen data was placed in laptops, USB memory sticks, external hard drives, etc. – anything that seemed portable. They claimed that sensitive data should (and if it were up to them, would only) be stored in data centers, where the appropriate physical security would be in place: cages, automatic and electric locks, armed guards, walls with no windows, steel doors, the works. I never could wrap my head around that. Not because I don’t think that securing data is important, but because people assume that stuff in data centers is not portable.
Technically, anything that was not present in the construction of a data center is portable. I mean, those blade servers didn’t come pre-installed with the data center; they can be taken out the way they came in. I know this because I’ve done that.
And, sure, they’re bigger than a USB drive. So what? If someone took the time and spent the energy to break in successfully into a secure location, they’ll find a way to get at what they’re looking for. A data center is more secure than the locked trunk of a car; however, “more secure” doesn’t mean “better security” anymore than “more chefs working on your broth” means “better soup.”
Use encryption to protect your data. It’s about the only thing out there was invented to protection information. Let me repeat that. It was invented to protect information. And it does its intended job very well. Just ask the NSA. Or the CIA. Or their equivalent in other countries.
If you use disk encryption, for example, as the RAF should have done with the three missing disks, it doesn’t matter whether the disks were left in a locked cupboard (as they actually were) in an Air Force base; an unlocked cupboard in your granny’s pantry; a locked glove compartment in a car; or in a data center. Why? Because the information is protected regardless.
And isn’t that the point of protecting information? As opposed to making a show of protecting information?
The UK media is reporting that another CD with sensitive information has been lost in the mail. Technically, it sounds like it was a courier service, but you get the idea. The good news is that the contents of the missing CD were encrypted. That means the data is being protected by something similar to AlertBoot data encryption software.
And yet, there are people raising a fuss about the incident, including the party that lost the CD. The General Teaching Council (GTC) sent the encrypted disk to a data contractor in Rotherham. Now, it wasn’t the GTC that really lost the CD. It’s the delivery service, the courier, that wasn’t able to deliver and isn’t able to figure out where the package ended up.
But, it’s not the courier service that is sending letters of apology to the 11,000-plus teachers. Nope, it’s the GTC. And, they’ve managed to spread fear: “Because we recognise that no encryption system can ever be entirely infallible, we have taken urgent steps to put additional security measures in place for affected records.” Unless the council had decided to use weak encryption, there really was no need for that statement. I mean, they’re taking the “teaching” portion of their name way too far. Weak encryption can be broken, yes.
For example, when you protect your Microsoft Word files with the built-in protection, locking a Word document from unauthorized eyes, you’re really encrypting it. Microsoft has used 40-bit encryption in the past to protect such documents. Now, while better than nothing, such weak encryption can be broken relatively easily. There are commercial services out there that promise to break open Word files in less than 48 hours via brute force methods. The cost tends to be a little over $50.
But, they’re offering the service because they know it’s a Word document. If you were to approach said services and ask to brute force some random file that was encrypted with actual encryption software that used strong encryption, like 128 bit keys, they might balk at the suggestion…unless you decide to pay regardless of whether they are successful in breaking open the file or not. That’s because longer keys are far harder to break. The chances of winning the lottery twice in a row are much higher than breaking 128 bit encryption keys (much, much higher, actually).
This type of encryption, incidentally, is what banks and other financial institutions use to protect on-line transactions. Now, if the GTC had used this type of encryption, which is far more secure and commonplace (they really would have to go out of their way to using something weaker, I’d say), what do they have to worry about?
Apparently, the people agree. I’ve scanned over ten websites carrying the article, and only one them has people writing a crap-storm in the comments section. Why? Because the article didn’t mention that encryption was used to protect the data. All the other sites are silent on the issue, and we’re talking about sites where in the past people wrote comments in droves when articles about lost CDs and USB memory sticks were reported. I don’t know if this if this is proof that people are wise to how encryption renders data breaches useless, but it’s definitely a strong indication of such thinking.
No. It’s definitely not because they use disk encryption solutions like AlertBoot. The companies that were surveyed by consultancy firm Logica did not report the breaches because they didn’t want to. Yeah, you read that right. They didn’t want to, so they kept it unreported. Secret. Sub rosa.
Let’s face it, a data breach of customer information—especially sensitive information like names, addresses, credit card numbers, Social Security numbers, or any combination thereof—is not something that one wants to announce to the world. Companies ought to, since it allows their patrons to be on the look out for things like identity theft, but the end result is generally lost business, lawsuits, bad publicity, and other assorted recriminations to the company that made the announcement. I mean, who needs or wants to announce a breach?
So, approximately sixty percent of companies surveyed never took the time to alert their customers about a data breach. Half of them didn’t inform the police or the authorities! Other things of note:
I think that last piece of intelligence is quite revealing. In a survey of IT executives, half think that data security is an IT department issue? No wonder there’s a report of an information security breach every other day: there’s no way a handful of people in the IT department can ensure the security of an entire company. Yes, there are tools like laptop encryption in case things are stolen or lost; firewalls to deter amateur and would-be hackers; port control software to stem the copying of sensitive data; and other products out there to ensure prevent data breaches.
But, the biggest weapon in ensuring data security is still having your employees practice good data security. Yeah, it’s not a “guaranteed” secure like a 128-bit asymmetric encryption key that’s been verified as impregnable by the cryptographic community. But, if your employee sticks a Post-It pad with his username and password to the computer…well, all that encryption goodness is for naught, no?
But, only in a roundabout way. Some intrepid reporters decided to spend $50 bidding on eBay for used computer hard drives, and see what kind of information they could glean from these magnetic devices. It turns out that they hit the jackpot, something that could have been prevented with the use of hard drive encryption software solutions like AlertBoot.
Call For Action bid on ten used hard drives to see what they could find on these digital media. The hard drives were analyzed by a computer expert, more specifically, someone working at a data recovery service in LaBelle, Florida. What he found surprised him. It surprised me as well, although I cannot say it was totally unexpected.
One of the drives that was analyzed contained data on 200 financial transactions from a wealth management company based out of New York, with a large transaction being just under $2 million. Another disk contained credit card numbers and drug prescriptions from a pharmacy. And two disks contained service calls for a large US retailer, which included customer names, addresses, and 750 credit card numbers.
When the data recovery expert was prompted if it was hard to recover the data, he replied, “It was not a complicated process for someone who knows what they're doing. It's not a complicated process for someone who doesn't know what they're doing.” [My emphasis]
Unfortunately, the italicized words in the above quote is not a typo. It is surprisingly easy to recover data from hard drives. You’ll notice that the story pointed out four hard drives out of ten purchased. That’s probably because the remaining six hard drives didn’t contain any data of value, or perhaps were completely wiped clean of data—as they should have been.
But, what should have been doesn’t always happen. Mistakes are made. Hard drives can and are resold without having their contents correctly deleted. We must take also into consideration that eBay is something of a haven for stolen goods that cannot be properly tracked. (This is true for any online auction or classifieds site.) There is a good chance that the data was recovered because the thief who unloaded the drives didn’t do (and didn’t have an incentive) to do an adequate job of deleting sensitive data, among other reasons.
It seems to me that companies are doing themselves a great disservice by not using full disk encryption, in two ways. One, by not using encryption, they are expending resources on what is essentially cleaning up their trash. Sanitizing data, while an easy process, is also a time intensive process. With today’s hard drive capacities, it would take hours upon hours to ensure that one hard drive has truly had its data deleted and not available on that disk. This is a terrible way to use your IT budget: a guy you’re paying over $20/hour to never keep his eyes off a computer that is doing nothing but writing random data to a hard drive.
Two, if you’re not using encryption, it means that you are setting yourself up for a potential data breach when your computer gets stolen or lost. Yes, there are other ways to get a data breach. But the loss of equipment is a commonplace occurrence; hackers holding your site hostage is not.
With whole disk encryption, though, you can kill two birds with one stone. A data breach becomes unlikely if disk encryption is protecting the computer’s contents. Plus, when the time comes to get rid of those disks, all you have to do is…nothing. Just give the thing a quick format if you are really worried, but that’s it. The data on that computer is protected because the original content is still encrypted.
National Bank of Canada, Canada’s sixth-largest lender by assets, according to Bloomberg, has publicly announced that a laptop computer was stolen from its headquarters in Montreal. Although not expressly stated, it seems to me that this particular laptop was not protected with data security software like laptop encryption from AlertBoot. A shame since there was customer data on that laptop—a “high percentage” of their mortgage clients, according to the bank.
The sensitive information included names, addresses, bank reference numbers, and account numbers. Other information such as social insurance numbers (Canada’s SSN), birth dates, or signatures were not included. Due to the limited information found on the stolen computer, the bank is maintaining that the risk of using the information for fraud is minimal.
And yet, the bank is asking its clients to keep an eye out for suspicious activity on their accounts. Makes you wonder why, if the risk is so minimal. Plus, wouldn’t the bank be in a better position to monitor fraud? I know I get a call whenever something weird pops up on their screens regarding a large purchase.
The thing about the stolen information is that it can still be used to carry out fraud. For example, this article from the washingtonpost.com shows how such “minimal risk” information was used in an attempt to scam $12 million from 90,000 accounts. That translates to roughly $130 per account. Depending on the bank, such paltry amounts may not raise flags in the bank’s system, and it would be up to people calling in to complain to shine a light on any attempted fraud.
Unlike some people commenting at cbc.ca, I don’t think that the issue is that the data was stored on a laptop computer. This equipment was stolen from the bank’s headquarters. Bank headquarters generally tend to have security in place. Now, since the laptop was stolen despite security, it stands to reason that anything else would or could have been stolen as well: it could have been a hard disk drive used as a back up; a bundle of printouts with the same sensitive information found on the laptop; a small desktop computer (sans monitor, of course). Heck, one could have installed one of those keystroke loggers with a wireless transmitter. If I were to believe some of the comments, getting rid of laptops would clear up any future data breaches. But as the small number of examples I’ve given illustrate, this is not so.
Let’s not forget the nature of the thing that is being stolen: data is a metaphysical object. You can burn a piece of paper with sensitive data on it, but if I’ve read it prior to your burning, it’s not going to do you much good (unless you’re trying to hide evidence from a trial or something). You have to have the right kind of protection. And when it comes to data protection, you want to use what the pros are using: encryption software. If the bank had used laptop encryption to protect all of their notebook computers, they wouldn’t have to ask their customers to keep an eye out, nor have their employee keep an eye out for irregular activity as well.
It looks like Massachusetts will be one of the handful of states that are beginning to require the use of data encryption solutions like hard drive encryption from AlertBoot, to protect consumer data —and not just recommend them like in the watershed legislation passed by California years ago. The Boston Globe is reporting that state regulators released new rules (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth) that require companies to protect personal information.
According to the Globe, companies must encrypt data stored on laptops, monitor data access by employees, and engage other security measures to protect consumer information. All of this must be in place by January 1, 2009. Sounds like a short period to me—and no doubt some are grumbling that having about a year to prepare for the new legal requirements would have been best. On the other hand, there is no sense in dillydallying when it comes to data security. The only time you’re allowed to do that is if you’re starting from a clean slate, and don’t have any data to speak of. In that case, wait all you want: there is nothing to protect, so you can’t have a data breach.
But, if you already have data, and it doesn’t happen to be protected with the use of some type of security measure like file encryption, there is no guarantee that you won’t have a data security breach in the time you’re preparing your company for protection (which sounds weird. If you’re preparing your company for employing protection, it implies there’s a viable threat…so why are you preparing, as opposed to starting whatever you need to actually protect your data? Isn’t that like warming up to run away from a hungry, charging bear?) In other words, no time like the present to start encrypting important or sensitive data.
If you’re a company in MA, though, there are some caveats that you should be aware of. For example, there is the definition of personal information. It’s defined as a combination of a person’s first and last name with SSN, driver’s license number, or financial account number. In other words, the Hannaford breach wouldn’t have required the company to have the data encrypted because only credit card numbers were affected. (Which, I should point out, is a moot point since credit card numbers have to be encrypted to begin with, per credit card industry rules.)