in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

12 Million UK Residents’ Personal Data Lost In 2-Inch Memory Stick Data Breach

The Mail was the recipient of a 2-inch tall USB flash drive last week.  The contents of the memory stick?  The information of 12 million British taxpayers…is what the newspaper is claiming.  In reality, it looks like it was only a handful plus the potential for 12 million more.  Details are not truly forthcoming from the UK government but information has been gleaned from the USB memory stick itself by a computer expert who examined it for the newspaper.  It seems -- quite obviously, since the expert was able to come to some conclusions on the contents of the storage device -- that disk encryption software like AlertBoot was not used to secure its contents.

According to this expert, the disk contained confidential passwords and the source code of the government Gateway system.  Among other functions, the Gateway system works as an on-line tax filing site.  The site has been temporarily shut down as a direct result of this latest disastrous breach.  It should be noted that names, addresses, wages, National Insurance numbers, and credit card details are some of the data required to file taxes on the site.  The implication from headlines seems to be that anyone who is able to access the site as a high-level user could access these and other data…and that the confidential passwords found on the memory stick were for high-level users.

A spokeswoman for the government has announced that the USB stick contained the data of “only a handful of people,” and that any passwords were encrypted.  There was no word on what kind of data protection software was available for the source code, a potentially bigger problem if leaked out to the world.  Here’s my question.  If these passwords were encrypted, how did the computer expert for The Mail know that they were there?

Generally, the use of file encryption software ensures data security unless the password is know (yes, a password would be necessary to get to the passwords in this case). Using 128-bit encryption, a pretty typical standard nowadays, would require all the computers in the world to be dedicated to break the encryption key for the next 300 years to even slightly increase the chances of an information security breach.  It took less than a week for the computer expert to determine the contents of that file.  Could the spokesperson misspoken about file encryption?  Perhaps the file in question was called “list of passwords to gateway.txt”?  No need to break encryption in that case…

This recent breach would seem like the latest embarrassment for an embattled UK government that has had many high-profile data breaches in the past one year; however, the embarrassment should be felt by Atos Origin, the private contractor in charge of the site.  After all, it was their employee that lost the USB drive.  This, though, hasn’t prevented hundreds of people leaving comments on The Mail’s site of how the Brown government is “stupid,” “irresponsible,” “incompetent,” and “full of muppets.”

If only everyone handling data could be like Big Bird.  Perhaps then we wouldn’t have so many information security breaches on that side of the pond.  To begin with, Big Bird doesn’t wear pants, so there’s no way he’d be able to take a USB memory stick out of the office inadvertently -- that avian guy has no pockets.  Nor would he be caught at a pub.  Oh, yeah.  I forgot to mention that the flash drive was found in the parking lot of a pub close to Atos Origin headquarters.

A viable and simple data security scheme, in lieu of hiring the biggest yellow birds you can find, would be to use full disk encryption on any USB sticks used in the office.  That way, if someone, in clear violation of office or governmental policies, takes a small data retention device out of the offices and loses it, there won’t be a problem.  To begin with, people won’t turn the thing over to media outlets like The Mail since they won’t have a way to find the contents of the disk if it’s encrypted.  The best PR stunt in the world is not to have a need for PR, no?

Related Articles:
http://www.dailymail.co.uk/news/article-1082402/Tax-website-shut-memory-stick-secret-personal-data-12million-pub-car-park.html
http://www.nzherald.co.nz/compute/news/article.cfm?c_id=1501832&objectid=10540887

 
<Previous Next>

Stanford U Professor Finds “It Is No Longer Safe To Write Personal Checks,” Creates Fictional Bank For Bragging Rights

Bank of Ireland Loses USB Memory Stick With Customer Data, Admits Drive Encryption Not Used

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.