in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

UK Drive Encryption: Two Housing Bodies Breach DPA After USB Memory Stick Lost

Two London housing bodies, Lewisham Homes and Wandle Housing Association, admitted to breaching the UK's Data Protection Act when a USB memory stick with tenant information turned up at a police station.  The problem?  Lack of disk encryption software like AlertBoot, certainly, but also a lack of data controls.

Contractor Involved

According to databreaches.net, the memory stick belonged to a contractor that did work for both organizations.  The information was copied from both housing bodies' networks, with 20,000 details downloaded from Lewisham Homes and 6,200 details downloaded from Wandle Housing Association.  800 of the Lewisham Homes records also included tenants' bank account information.

According to other sources, such as theregister.co.uk and scmagazine.co.uk, the USB drive was lost (and found) at a pub.  The contractor worked as a database administrator and has been dismissed since, according to newsshopper.co.uk.

According to the Undertakings signed by both organizations, the data was copied for a couple of reasons.  For Wandle:

[The contractor] had copied the data to this device to work on a laptop computer at home, as he had experienced problems with his remote connection to the data controller’s network. In addition, the Commissioner was told that there was no evidence that this contractor had ever been trained in the data controller’s policies and procedures relating to data protection or IT security.

For Lewisham:

[The contractor] had copied the data to this device due to problems encountered backing up work on the data controller’s network. In addition, the Commissioner was told that there was no effective measure in place to prevent the use of personal or unencrypted USB devices on the data controller’s systems, and there was no provision for training contract workers in the data controller’s policies on data protection.

I can see how Lewisham and Wandle are ultimately responsible for the data breaches.  However, I cannot understand why these two are taking the blame for the data breach.  In this day and age, you're telling me that a bona fide database administrator has no idea about data privacy and breach laws?

Excuses Understandable, Lack of Encryption Not

The contractor copied the data for a couple of reasons, both of them perfectly understandable.  In one case, the remote connection (and I'm hoping that he was VPNing in) wasn't working; in the other, he was having problems backing up to the correct device.

Such problems occur often enough that I'm willing to accept the argument that the information was copied to the USB flashdrive for such reasons (as opposed to something more nefarious.  After all, well over 10% of breaches are due to "internal attacks").  But if so, why wasn't this guy's USB drive encrypted?

Even if he was unaware of the laws surrounding data security and privacy, as a database admin he should have known about the importance of data security from a technical standpoint.  Why his USB stick wasn't protected with encryption software is incomprehensible.


Related Articles and Sites:
http://www.databreaches.net/?p=20010
http://www.theregister.co.uk/2011/08/05/housing_usb_lost_down_the_pub/
http://www.scmagazineuk.com/usb-stick-with-financial-details-of-800-people-lost-in-london-boozer/article/209066/
http://www.newsshopper.co.uk/news/9183430.Bank_account_details_of_Lewisham_Homes_tenants_found_on_memory_stick_in_pub/

 
<Previous Next>

Strong Data Encryption Is Protecting My Hacked Data. So Says SK (The Company, Not The Country)

Laptop Encryption Software: Tufts University Data Breach, Encryption Was Used

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.