Update (Dec 4, 2008): According to the site www.pogowasright.org, C-W Agencies was able to recover the stolen tape and forensic experts are examining it to see whether their data was accessed or not.
According to the Vancouver Sun, C-W Agencies in Canada is claiming to be a victim of a data breach. The alleged perpetrator is the former vice-president of IT of the company, and the accusation is that he stole a backup tape with information on 3.2 million customers. The good news? Data encryption was used to protect the client data. The bad news? According to C-W Agencies, the information necessary to decrypt it is also stored on the tape.
The potential worth of the customer information, which includes credit card and bank account information of more than 800,000 customers, has been pegged at $10 million (Canadian, I assume…an observation that would have meant something a year ago), or about $12.50 per name. Shocking how worthless your personal information is on the market, black or otherwise, when you consider the damages that can be effected.
How Can Encryption Help In Such Scenarios?
Sorry to say, it cannot, because of the specifics of the situation. It’d be like asking how can you prevent the Brinks guy from driving away in his armored truck when he suddenly decides to steal the money instead of making his rounds. You just can’t.
When a guy knows the passwords to decrypt protected data decides to go “rogue,” the security game is over. This is why encryption is never, and cannot be, considered the be all, end all for all of your data security woes. Encryption merely plays a part, but admittedly an important part, in a more holistic information security approach that involves inventorying, encryption, audits, firewalls, physical locks, and employee education (and their interest in security), among other factors.
For example, consider the above story: The former IT guy was not exactly trusted; he was supposedly a problem employee. But, due to his status as VP of IT, he had access to sensitive information. By all accounts, his theft would have been the perfect crime, except for one thing: the network administrator reported his suspicions of hanky-panky to the chief executive. The potential, negative ramifications of the data breach were foiled by the least sophisticated method possible: telling on someone.
Keep Your Passwords Safe
The importance of keeping passwords safe can be gleaned from the above story. Rogue agents, the theory goes, are unstoppable because we already trust them. But, I would say that trust is not the main reason. The main reason that rogues cannot be stopped is because they already have access. It just goes to show the importance of keeping passwords safe -- an organization shouldn’t accept nor allow passwords to be shared or posted.
Related Articles:http://www.canada.com/vancouversun/news/westcoastnews/story.html?id=055fa12a-2bca-4804-9bef-a44eee60de5fhttp://www.pogowasright.org/article.php?story=20081204140710834