The Boston Globe is carrying a short article on how a number of companies in Massachusetts have suffered data breaches of customers' personal information, all of them in recent months. In most cases, the use of data encryption would have been helpful (and in one case, actually, encryption was used to safeguard data). What is most notable, though, is the comment section.
Six companies were mentioned: John Hancock, the insurance company, misplaced a CD with customer information, including names and SSNs. The information was encrypted, but the Hancock offered credit monitoring to customers anyway Lincoln National Corp., another insurance company, leaked access credentials, meaning anyone with it could hack into their computer system Beer & Wine Hobby announced a breach of their computer system which exposed personal information for 35,000 customers. Nuance Communications reported a laptop computer was stolen during a car break-in, affecting over 1,000 MA residents (SSNs were included) Beecher Carlson Holdings, an insurance broker, announced the theft of two laptops while employees were at an off-site meeting. SSNs of employees were included in the laptops PF Chang's, the restaurant chain, reported the theft of electronic equipment that contained personal information Some of these have been covered by this blog already.
Six companies were mentioned:
Some of these have been covered by this blog already.
What's most revealing, though, is the comments section (as is usually the case). Someone going by the ID of aperture noted that "ALL entities that are entrusted with vital information [should be mandated] to install VIABLE electronic safeguards." Perhaps this person missed the part where the article noted that since March 1 "companies need to encrypt personal data stored on laptops or sent over the Internet." Need, mind you, not can choose. In fact, this law is one of the most stringent regulations in the US when it comes to personal information security. Another, a6, noted that "it is time to hold CEO's criminally responsible and to fine companies big $ for sharing the information." Newsflash: many people don't listen to the CEO if they think they can get away with it. And, fining companies is the point of the new regulation that kicked in this month. I'll have to cut this guy some slack, tough, since this detail is not mentioned in The Boston Globe article. Besides, putting all the onus on the CEO is going to backfire when an emp has a beef with the guys above. For example, take those states where the car that rear-ends the car in front of them is automatically liable for the accident: there are more than enough cases where enraged drivers will maneuver and force a rear-end collision to spite someone. Call it an unintended consequence: the law that was supposed to decrease traffic accidents actually encourages one in particular instances. Imagine what could happen if the CEO is "responsible for all." Some might say that's not a bad thing; I feel bad for such people. If possible, quit your job and go to greener pastures my friend. Commenter Aljg noted that "As a database developer, I'm shocked that these companies let SS #s and/or CC # information on laptops. There is ZERO reason to have this information on laptops since laptops never/should never run production applications imo." While entirely true, what Aljg forgets is that not everyone is a database developer; the presence of Social Security numbers and credit card information could be for the more pragmatic reasons. For example, the laptop is what a company uses for billing customers. Or, perhaps the laptop belongs to the guy in HR, and he has a file for HR-related tasks that require SSNs to be present. (I should point out that none of the companies mentioned above seemed to be in a position where they were developing databases. Perhaps Nuance, but from the story it sounds like only employees were affected, which would point to the HR scenario.) Voodoo55 noted that "Anyone who thinks even the best security can't be penetrated is mistaken." I've got to concur. At the end of the day, though, I'm not going to recommend that people don't update their anti-virus software; that they don't use disk encryption software like AlertBoot; that they don't use laptop cable locks; etc. I mean, seatbelts and airbags don't prevent people from getting hurt 100% of the time, but you'd have to be crazy to recommend against their use because they're don't always work.
What's most revealing, though, is the comments section (as is usually the case).
Someone going by the ID of aperture noted that "ALL entities that are entrusted with vital information [should be mandated] to install VIABLE electronic safeguards."
Perhaps this person missed the part where the article noted that since March 1 "companies need to encrypt personal data stored on laptops or sent over the Internet." Need, mind you, not can choose. In fact, this law is one of the most stringent regulations in the US when it comes to personal information security.
Another, a6, noted that "it is time to hold CEO's criminally responsible and to fine companies big $ for sharing the information." Newsflash: many people don't listen to the CEO if they think they can get away with it. And, fining companies is the point of the new regulation that kicked in this month. I'll have to cut this guy some slack, tough, since this detail is not mentioned in The Boston Globe article.
Besides, putting all the onus on the CEO is going to backfire when an emp has a beef with the guys above. For example, take those states where the car that rear-ends the car in front of them is automatically liable for the accident: there are more than enough cases where enraged drivers will maneuver and force a rear-end collision to spite someone. Call it an unintended consequence: the law that was supposed to decrease traffic accidents actually encourages one in particular instances.
Imagine what could happen if the CEO is "responsible for all." Some might say that's not a bad thing; I feel bad for such people. If possible, quit your job and go to greener pastures my friend.
Commenter Aljg noted that "As a database developer, I'm shocked that these companies let SS #s and/or CC # information on laptops. There is ZERO reason to have this information on laptops since laptops never/should never run production applications imo."
While entirely true, what Aljg forgets is that not everyone is a database developer; the presence of Social Security numbers and credit card information could be for the more pragmatic reasons. For example, the laptop is what a company uses for billing customers. Or, perhaps the laptop belongs to the guy in HR, and he has a file for HR-related tasks that require SSNs to be present.
(I should point out that none of the companies mentioned above seemed to be in a position where they were developing databases. Perhaps Nuance, but from the story it sounds like only employees were affected, which would point to the HR scenario.)
Voodoo55 noted that "Anyone who thinks even the best security can't be penetrated is mistaken." I've got to concur. At the end of the day, though, I'm not going to recommend that people don't update their anti-virus software; that they don't use disk encryption software like AlertBoot; that they don't use laptop cable locks; etc.
I mean, seatbelts and airbags don't prevent people from getting hurt 100% of the time, but you'd have to be crazy to recommend against their use because they're don't always work.
Related Articles and Sites:http://www.boston.com/yourtown/burlington/articles/2010/03/13/new_reports_of_data_breaches_leave_thousands_in_mass_at_risk/