in

This Blog

Syndication

Tags

AlertBoot Endpoint Security

Hard Disk Drive Encryption Not Used On Missing Blue Ridge Community Action

Blue Ridge Community Action's (BRCA) mission statement begins with the words "Helping People to Help Themselves in Partnership With the Community..."  After the data breach they've had, the BRCA's community may find itself helping themselves a little bit more.  If only they had used some type of hard disk drive encryption program, like AlertBoot, to protect their data....

According to the BRCA Executive Director Mattie Patterson, an unnamed employee with BRCA found that an external computer hard drive was missing on December 31, 2008.  (That…does not portend well for the new year.)

The drive was being used as backup solution, so information on approximately 300 people who had used the organization's services in the past four or five years is missing, including Social Security numbers.

It is not known whether the drive is merely lost or stolen, although, does it really matter?  It's been missing for two weeks now, and if it hasn't turned up by now, it strongly indicates it's probably been stolen.  I mean, not even the Japanese have invented external drives that walk off on their own, and that country has invented its more than fair share of weird and useless stuff.

There is no mention of whether data protection measures were in place for the missing disk, so it's a safe bet to assume that there wasn't.  Bad news.

What Does This Mean?  Do These 300 Have To Worry?

I'd say yes.  From the context of the story, it sounds like all of the affected were financially strapped or in help of community support.  Hardly the types to have lots of money in their bank accounts.  But, also, the types that may suffer extremely from losing what little they may have in their bank accounts.

And, it wouldn't be beneath a thief to go after such funds.  The bigger problem, though, is that with a name and SSN, a lot of more harm can be realized.

  • Loans can be applied for, and the debt collector will come after the original SSN holder.
  • Strangers can sign up for jobs, and the IRS will come after the SSN holder for taxes owed.
  • A suspect with a fake ID could end up being booked by the police, and the original SSN holder is now listed as a criminal.

It's hard to list all the things that could go wrong, but let's put it this way: the BRCA won't be able to help resolve any of them.

The one thing--the least--the BRCA could have done is to encrypt that sensitive information.  Sure, it's an added cost (and, in some cases, a small added cost), but it's definitely worth it.  And it's value tends to rise the more there is to protect, since encrypting a file with 300 names is no more expensive or costly than encrypting a file with 300,000 names.


Related Articles:
http://www2.morganton.com/content/2009/jan/13/lost-brca-hard-drive-contains-300-social-security-/
http://breachblog.com/2009/01/14/brca.aspx
http://www.brcainc.org/

Published Jan 15 2009, 12:35 AM by sang_lee
Filed under: , , , , , , , , , , , ,
 
<Previous Next>

Massachusetts Data Protection Law Encryption Requirement: You Must Use 128-Bits Or Higher

Massachusetts Encryption Law Compliance Checklist

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.