in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hard Drive Encryption: Prosecuted For Computer Extortion

A 28-year-old man from Indianapolis was sentenced to two years in prison for trying to extort over $200,000 from an insurance company.  According to the story, the man stole the insurance company's computer server while working for a private security firm.  The server did not make use of data encryption software to protect the contents.

Orbs.  Brass Orbs

Or perhaps stupidity; you'll see why.  The man, Kevin Stewart, was working for a private security firm that in turn was contracted by AIG Medical Excess--no doubt, to provide security.

Instead, here's this guy that steals a data server with over 900,000 instances of private information that included, SSNs, names, and medical records.  (He also stole a camcorder and office equipment).  The incident was described as a break-in at the time, so it looks like Stewart had used information he had gleaned during his day job to carry out his night services.

On June 14, 2006 MSNBC quoted an AIG spokesperson who said, "There is no indication that the thieves were seeking data, rather than valuable hardware."

Fast-forward two years later, to July 23, 2008, when Steward delivers a package to AIG, stating that he posses the stolen server and would like "$1,000 a week for four years."  (Actually, another story I've read states that all arrangements were made via e-mail...wonder what this package was?)

Instead, the guy was apprehended and the server was recovered.  He was also ordered to pay back $1.4 million "to help cover the company's cost of identifying and notifying those whose data was stolen."

What's unbelievable is that Stewart went for a monthly plan instead of a lump sum.  This isn't exactly the lottery...hello!  Illegal stuff happening!  You want the exchange to be as quick and as informal as possible, not hang around to see if they sic the cops on you.

Threatened to Release the Data on The Internet...

...if he wasn't paid.  Allegedly. 

If this is true, it means that Stewart ultimate found a way to access the contents of the server, which is not surprising, actually.  The machine in question only used password-protection to "secure" the data, and this can be easily bypassed.

"There Is No Indication That The Thieves Were Seeking Data, Rather Than Valuable Hardware"

This is standard boilerplate when it comes to data breaches.  Whenever devices with valuable information are stolen, someone points out that "there is no indication blah blah..."  So, what?

While I can't blame AIG for including it (heck, why not include it?  Everyone's doing it and it sounds good), the truth is it's immaterial.  I hope companies spouting this nonsense don't actually believe it themselves.  I mean, is a thief supposed to leave behind his intentions for the robbery?

As this case has shown, absence of indication does not imply absence of intent.  It's quite apparent at this point that the theft of office equipment and other stuff was just a ruse to cover the real objective of the robbery: the server.

And note how this guy didn't make his move until two years after the robbery took place.  It behooves companies to better protect their customers' data--definitely with the use of encryption software, but also with other tools as well--instead of guessing what the intention of the thieve may be.

It's a miracle the server was recovered--and even more of a miracle if Stewart hasn't sold the data at an on-line information blackmarket.


Related Articles and Sites:
http://www.indystar.com/article/20100112/NEWS02/1120411/1003/BUSINESS/Indianapolis-man-1st-to-be-prosecuted-under-computer-extortion-law
http://www.fox59.com/news/sns-bc-in--stolendata-extortion,0,184269.story
http://www.msnbc.msn.com/id/13327187/

 
<Previous Next>

Disk Encryption Software Not Used, 15000 Kaiser Members' Info Leaked

Data Encryption: Health Net Sued By CT Attorney General

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.