in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2011 - Posts

  • Drive Encryption Software: Stone Oak Urgent Care & Family Practice Computers Stolen

    Five computers have been stolen from Stone Oak Urgent Care & Family Practice ("Urgent Care"), leading to the breach of sensitive information for over 3,000 patients.  Hard disk encryption like AlertBoot was not used to secure the medical information, although password-protection was present.

    Break-In to Corporate Offices

    During the October 22 - 23 weekend, a thief or thieves pried open a door to gain access to Urgent Care's facilities.  Five laptop computers with medical files for 3,079 patients were stolen.  The files included names, Social Security numbers, dates of birth, account numbers, disability codes, diagnoses, and other information.  Encryption software was not installed on the devices, but password-protection was present, the latter being one of the most insecure ways of protecting data.

    That is not to say that password-protection can never protect data.  However, the fact that the Department of Health and Human Services (HHS) only considers data destruction and strong data encryption to be the only ways of guaranteeing data security (evidenced by the fact that data protected by these two methods are granted safe harbor from the Breach Notification Rule) is indicative of what password "protection" means, security-wise.

    Surprising Statistic

    The article at mysanantonio.com has an eye-popping statistic.  Supposedly, "80 percent of hospitals don't encrypt data."  Of course, I can' tell whether this is quoted out of context and refers to just laptops or involves any and all aspects of electronic data that can be encrypted, such as desktop computers, external drive, and even email.

    Assuming that it involves devices that, due to their size, can be easily hidden and stolen, the figure implies that most medical establishments are just waiting to have a data breach.  While this shouldn't come as a surprise considering what was revealed at a recent Senate Judiciary Subcommittee on Privacy, Technology, and Law meeting, the fact that it's estimated to be so high is quite stupefying.


    Related Articles and Sites:
    http://www.mysanantonio.com/business/article/Computers-containing-medical-info-stolen-2429542.php
    http://www.phiprivacy.net/?p=8695
    http://www.stoneoakinfo.com/node/76053

     
  • Laptop Encryption Software: AW Hastings Data Breach Via ADP

    Automatic Data Processing, Inc (APD) filed a breach notification letter with the New Hampshire Attorney General's office.  According to the letter, a laptop was stolen from an ADP employee.  The device was protected, possibly with disk encryption software (such as AlertBoot).  However, it looks like encryption software may have failed the company in this case.

    Compromised Encryption and Log-on Passwords

    In the letter, ADP notes that the personal information of 3 New Hampshire residents was possibly compromised in a security incident.  On November 12, 2011, the laptop was stolen from an "ADP associate" at his home.  The computer was encrypted, as machines with corporate data related to personal information ought to be.

    However, "there is a possibility that both the encryption and log-on password could have been compromised."  What this means specifically, the letter did not disclose.

    Usually, passwords are compromised via the all-too ubiquitous sticky-note.  When one's password is long and complex enough, people tend to write it down.  Since this password is important, it generally tends to occupy that one note (you wouldn't want a password to be obscured by phone numbers, people's names, doodles, etc.).  That one note tends to be a Post-It.

    I figure that what happened is that the thief was grabbing the laptop, there was a Post-It in the vicinity which attracted the thief's attention (they're yellow for a reason), he saw it was a password, and grabbed it as well.  (Incidentally, do you know why Post-Its are yellow?  Many think that it's so it will stand out.  Not so.)

    Regardless of how it actually happened, information pertaining to AW Hastings was compromised.

    Which is interesting because ADP filed the letter with the NH AG.

    Most States Require Data Owners to Report Breaches

    Why is it interesting that ADP filed the report?  Because most state and federal laws assign the responsibility of protecting data to the original owners of the data.  This responsibility also means that the data owners are the ones that notify any agencies and organizations in compliance with the law.  Furthermore, it's argued that when an unknown third party sends a breach notification letter, those who are affected by a breach are more than likely to junk that letter unread, believing it to be marketing materials (i.e., junk mail).

    Take a recent example: when TRICARE had a data breach, it was TRICARE that notified the media and affected people, despite the fact that the actual breach was by SAIC.  Had SAIC sent those letters, people might have not paid attention to it.

    Of course, for the AG, an exception can be made.  I guess.  After all, what's important is that the AG be notified of the situation, and I can't imagine that the Attorney General's office gets too much junk mail.


    Related Articles and Sites:
    http://doj.nh.gov/consumer/security-breaches/documents/aw-hastings-20111208.pdf

     
  • Solicitorsfromhell.co.uk Breaches UK Data Protection Act: Information Needs To Be Accurate

    The High Court of Justice in the UK has ruled that solicitorsfromhell.co.uk ("SFH"), has breached the Data Protection Act (DPA).  It's a reminder that the DPA is not just about protecting data. Just because many publicized DPA breaches are a result of not using data protection tools such as drive encryption software like AlertBoot doesn't mean that there are other things to consider.

    Name and Shame Site Breaches DPA

    SFH provided, according to the owner of the site,

    [a] 'blacklist' of firms and solicitors contained on the site helped people choose legal services and encouraged members of the public to "expose wrongdoing" in the legal profession. [theregister.co.uk]

    Of course, seeing how he was essentially challenging solicitors (lawyers in the US), it was a matter of time before the case ended up in court.  The Law Society, which represents solicitors in England and Wales, successfully argued that SFH contained "malicious and defamatory" allegations.

    The High Court agreed.  In its decision it noted, among other things,

    because solicitorsfromhell.co.uk had contained false statements about lawyers Kordowski, as the data controller, had breached basic principles of UK data protection laws that require personal data to be accurately stored and processed fairly and lawfully.

    Because Kordowski had not processed lawyers' personal data in accordance with their rights – another principle of UK data protection laws – the judge ordered Kordowski to "block, erase and destroy the data which is the subject of this action". [theregister.co.uk]]

    Data Protection Act Governs More Than Data Protection

    The DPA and the Information Commissioner's Office, which is charged with upholding the DPA, have become "famous" over the last year due to 2011 being an explosive year when it comes to data privacy issues.

    Many people understand that there are UK laws requiring personal data to be protected; that organizations that collect such data have a legal duty to protect it; that failing to do so can incur penalties and fines, and even prison sentences depending on the situation.  Indeed, it's one of the reasons why AlertBoot has seen an uptick in interest for its encryption software for securing computer hard drives.

    However, there is more to the Data Protection Act than protecting data.  You also have to ensure, as pointed out above, that the collected data is accurate.

    If the information is not accurate, you must correct it if someone requests it.  Of course, this also implies that people are allowed to see what data you hold on them, which the DPA covers as well.  Furthermore, if the a person requests that a company delete the data that is being held on them, the company must comply under most circumstances.

    One exception is organizations that deal with journalism, since it would have tremendous impact on free speech rights.


    Related Articles and Sites:
    http://www.theregister.co.uk/2011/12/29/solicitors_in_court/

     
  • Disk Encryption Software: 1.4M Cattles Group Customers Affected By Breach

    Approximately 1.4 million customer of the Cattles Group -- owners of the Welcome Finance loan firm in the UK (whose website currently has a message stating that "Welcome Finance is no longer taking applications for new loans") -- are being notified of a data breach.  Two "backup discs" which haven't been protected with data encryption software like AlertBoot are reportedly missing.

    Discs?  Tapes?

    Not only does the group not know where the missing data storage device happens to be, apparently they don't know what's missing (although, perhaps the journalist ought to be blamed for the following): the device is described as both backup discs and as tapes.  Which is it?

    Not that it matters, really.  Encryption software could have been used on either to protect the data.  We are speaking of 1.4 million records, and data at that level requires strong data protection, even if it's relegated to names, dates of birth, and payment history (800,000 clients only had their names and addresses breached), according to a spokesperson.

    This, however, appears to contradict the notification letter: according to one victim interviewed by thetelegraphandargus.co.uk, the letter read "the firm cannot account for her personal details, including bank details, national insurance number, date of birth and address."

    Customers were not the only people affected.  The storage device also includes HR information for staff up to October 2010.  It was not mentioned how many were affected.

    Not Surprising?

    A quick search on the internet explains why Welcome Finance has a "no new loans" alert on its webpage.  It went bankrupt.

    A company by the name of Bovess Ltd, described as a special purpose vehicle, has acquired Welcome Finance.  A SPV is known in the US as a Special Purpose Entity (SPE), and if I'm not wrong, was the reason why Enron was able to hide its debts before it declared bankruptcy.

    In retrospect, perhaps it's not so surprising that the company had a massive data breach.  I mean, the last thing that a bankrupt company pays attention to is whether backup tapes are missing.  The more interesting question would be, who's responsible for this breach?  Is it Welcome Finance?  Is it Bovess?  Are they one and the same?


    Related Articles and Sites:
    http://www.thetelegraphandargus.co.uk/news/local/localbrad/9438853.Fraud_fears_as_loan_firm_loses_discs/

     
  • Reminder: California Breach Notification Law Amended, Beginning 2012, AG Must Be Notified

    A timely reminder for the new year: Beginning on January 1, 2012, any businesses that have a data breach must alert the California Attorney General's office if more than 500 Californians are affected.  I'm pretty sure that this does not extend to any sensitive information that was protected with adequate data protection tools, like AlertBoot's laptop encryption software.

    I first mentioned this about 6 months ago, here.

    Also, the revised law has requirements on what must be included in the breach notification letters sent to customers:

    • Must be in plain language
    • A list of personal information that was breached
    • The date of the breach
    • A description of the breach
    • Whether law enforcement requested a delay in the notification
    • Instructions on contacting the major credit reporting agencies

    Encrypted Data

    I'm not a lawyer, so I'm not sure whether this train of thought makes sense, but under California law "personal information" is defined as:

    composed of an individual’s first name or first initial and last name that is combined with one or more of the following data, wherein either the name or the data it is combined with are not encrypted [my emphasis]

    In other words, when you use encryption software to protect data, this is no longer personal information.  Since it's not personal information, it can't lead to a data breach if you lose, say, a laptop with five gazillion names and SSNs.

    Hence, encryption provides one with safe harbor from the notification requirements, including the notification to the CA AG.


    Related Articles and Sites:
    http://www.jdsupra.com/post/documentViewer.aspx?fid=4d164c04-4c60-4ddb-a18d-de3e69533a9e

     
  • Data Encryption: Stratfor Stored Credit Cards In Plain Text

    The Office of Inadequate Security (databreaches.net) has been following the Anonymous hack of Stratfor.com very closely.  Of course, this is the hack where data encryption software was not used to protect credit card numbers, which were in return used to make "charitable" donations.

    Dissent, the administrator behind databreaches.net, has raised a number of pertinent questions which ought to lead to interesting results.

    Stratfor.com Hack

    The original entry and updates to databreaches.net can be found here.  It includes what was hacked, how many were affected, and the subsequent "Antisec is not Anonymous" controversy.

    Here, Dissent looks into Startfor's privacy policy, which was based off of a cached copy.

    In this missive from Stratfor to clients (and provided to databreaches.net), the hacked company promises to boost security and provide credit monitoring services.

    And, last but not least, Dissent takes a look at what the breach might cost Stratfor, since the company is based out of Austin, Texas, and the Lone Star state has pretty strict data protection laws in its books, which were later amended to include all US citizens, if not the entire world.

    Some of the posts appear to be long, but only because of quoted passages and legislation.

    Adding in My Two Cents

    There are a couple of things that I wanted to expand on briefly.

    First, it's obvious that Stratfor was not PCI-DSS compliant.  For example, if you go over to pcicomplianceguide.org, you'll see that

    Q: To whom does PCI apply?
    A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

    There's no two ways about it: if you're processing a credit card for payment, you have to follow the rules.  It doesn't matter if you're a Fortune 500 company or a panhandler.

    Requirement 3 of PCI-DSS governs the storage of sensitive data, including credit card numbers and card verification codes.  The first rule is to never store the information, unless you have to (and then there is data like CVVs that are never stored, even in encrypted form).  The second rule is to always encrypt the information if you do store it.  The point is, you never store any part of a credit card in unencrypted form.

    Fines of up to $500,000 can be assessed on organizations that don't comply.

    The second thing I'd like to expand on is whether the FTC will get involved.  Dissent has asked "would the FTC consider Stratfor's data collection and storage deceptive"?  What Dissent is referring to is the fact that Stratfor promised to protect data but its actions didn't live up to that promise.  It's not unprecedented for the FTC to bring charges under such "deceptive practices."

    In 2010, Twitter settled such charges:

    The FTC's complaint against Twitter charges that serious lapses in the company's data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others.

    "When a company promises consumers that their personal information is secure, it must live up to that promise," said David Vladeck, Director of the FTC's Bureau of Consumer Protection.

    CVS / Rite Aid also had to face up to their words and actions not matching up:

    Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair. [My emphasis]

    Can Stratfor expect a visit from the FTC?  I'm not sure.  But, the situation has attracted so much attention that the FTC cannot afford not to get involved.


    Related Articles and Sites:
    http://www.databreaches.net/?p=22426

     
More Posts Next page »