in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Disk Encryption Software: Nearly 90,000 Students Affected By Alaska Department of Education and Early Development Breach

The Alaska Department of Education and Early Development (DOE) is alerting 89,000 students and their parents that the theft of an external hard drive has triggered a data breach.  The missing hard drive does not appear to have been protected with full disk encryption software like AlertBoot, a key tool in securing information.

Good Security, Terrible Backup?

The missing hard drive contained names, dates of birth, student identification numbers, school district affiliation, school affiliation, gender, race/ethnicity, disability status, grade levels, test scores, and enrollment information.  Students' Social Security numbers were NOT included.

The theft of the device "likely" took place in February, when a rash of petty thefts plagued the department (more on this later).  The external drive was a backup to a computer system that was undergoing upgrades.  While not much was said about security on the backup itself, we do know that the computer servers were "behind two locked doors."

Based on the little we have to go on, I'd say that adequate security (not good, not exceptional; just merely adequate) was practiced at the AK DOE.

Except for the fact that an external drive was not properly secured physically.  And that it was not guarded with encryption software.  Or the fact that petty thefts didn't raise an alarm and put the guys in lockdown mode.

Oh, and regarding the petty thefts that plagued the department: small stuff got stolen, including thumb drives.  This, apparently, wasn't a cause for raising the alarm to students, so I take it it means that there was nothing of interest on those USB devices.

Let's Get This Straight: That Data Is Not as Anonymized as You Think

I've got to take exception with the following reassuring words:

Fry [a public information officer with the Department of Education and Early Development] says there is a silver lining in the theft, in that the student data isn't overtly visible to anyone simply opening up the hard drive, unless someone does "a particular set of procedures."

"A good deal of information about students is contained in numerical codes, not words," said Fry. "For example, if you list a student and his ethnicity, that ethnicity isn't a word.  It isn't 'Caucasian' or 'Native' or something like that, it's a numerical code which would have no meaning to a layman." [ktuu.com]

In other words, a lot of information is in coded form, or if you will, anonymized.  Which, even as I type the word, I've got to laugh, because the students' names are not, apparently.  In fact, perhaps I'm being generous since anonymization implies an intention to guard data whereas in this case it's serendipitous.

That names are present is problematic for at least two reasons: one, you know the students' names, which tend to work as anchors in any given database (or at least as one of the anchors).  If anything ought to have been anonymized, it should have been the names.

Two, things like ethnicity can be figured out by analyzing names.  Not with one name, obviously.  John Smith could be Caucasian, Native American, African-American, or even Asian (adopted foreign baby).  But if you have nearly 90,000 data points you can cross reference...well, it's just a matter of time to establish which code is linked to which race.  I mean, if "John Smith" and "Sam Ching-Fao Chen" both share ethnicity code "05," it's very probably that John Smith is Asian.

If my experience is anything to go by, a lot of information could be reconstituted using similar methods.  It's a vile circle: reconstitute one set of data and it can be used to reconstitute other sets, which are used to reconstitute other sets, and so on.

Complete anonymization is very hard to achieve.  This is why other tools are used to safeguard data, even if anonymization is a valid data security tool.  Tools such as data encryption programs.


Related Articles and Sites:
http://www.ktuu.com/news/ktuu-thousands-of-alaska-students-personal-information-accidentally-released-20110304,0,678388.story
http://www.newsminer.com/view/full_story/12178649/article-Hard-drive-from-state-Education-Department-with-student-information-on-it-missing
http://www.eed.state.ak.us/news/releases/2011/security_breach_letter.pdf
http://www.databreaches.net/?p=16996

 
<Previous Next>

Drive Encryption Software: Class Action Status Against Banque Nationale du Canada Allowed

Laptop Encryption Software: Rancho Los Amigos Center Loses Laptop, 660 Affected

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.