The datalossdb.com site has a copy of a data breach letter from Fujitsu Consulting Inc. (Fujitsu) to the NH Attorney General. A subsidiary of Fujitsu Limited (the Japanese computer behemoth), the consulting company "provides management and technology consulting" according to a company profile kept by BusinessWeek. Was some type of information security solution used to safeguard the informaiton, like hard drive encryption software from AlertBoot?
Can't tell, since there is no mention of it. In the past I would have assumed that companies that protected their information with data encryption software would have mentioned it, since it acts as an instant pacifier for customers. People understand that encryption ensures a high degree of data safety. But, recent events like the Dezonia Group has revealed to me that this is not always the case: that particular breach was limited in its scope because disk encryption was used...but the affected company didn't mention until plenty of people had expressed frustration about the incident.
The letter mentions that an "electronic storage device" was lost. It was sent via courier and lost. Fujitsu scrambled to figure out what type of data was stored on that device, and their search turned up 3,410 names and SSNs that were related to a project they were conducting in 2004. Fourteen of these names were residents in NH, which explains the letter to the AG.
What was this device, though? A CD? A DVD? An external hard drive?
On the other hand, whether it's a CD or a USB flashdisk, it really doesn't matter. As long as that data is readily accessible to third-parties (and by that, I mean criminal elements), there is a significant risk of a data breach that will be followed by, say, ID theft. (Hopefully, that's not what will happen.)
One thing I should note, though, is that the above story shows why certain companies may go for a full disk encryption solution over file encryption software. The former encrypts everything on a disk, while the latter allows one to decide which files to protect.
For reasons I won't go into right here, many people prefer to select which files are to be encrypted. Indeed, one of the central tents of data protection is to know what to protect and what not to.
On the other hand, we live in an age where individual files are larger than ever before, not to mention that we have more files than ever before--it's kind of hard to keep track of what's in what: does the file have SSNs and other sensitive information on them?
I mean, if you have a file called "Super duper project," it's kinda hard to tell whether there's any sensitive information or not. Duplicate such non-descriptive file names one hundred times, and you've got a ticking data breach time-bomb on your hands.
An easy answer to such a situation is the use of hard drive encryption: just encrypt the entire contents of your drive and you're set. Now, if you mail that particular drive and the courier loses it....well, you'll still have to file letters with the correct agencies. But, you get to mention that the contents are safe as well.
Related Articles and Sites:http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=1018142http://datalossdb.org/primary_sources/1506http://doj.nh.gov/consumer/pdf/fujitsu_consulting.pdf