in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption Software: AW Hastings Data Breach Via ADP

Automatic Data Processing, Inc (APD) filed a breach notification letter with the New Hampshire Attorney General's office.  According to the letter, a laptop was stolen from an ADP employee.  The device was protected, possibly with disk encryption software (such as AlertBoot).  However, it looks like encryption software may have failed the company in this case.

Compromised Encryption and Log-on Passwords

In the letter, ADP notes that the personal information of 3 New Hampshire residents was possibly compromised in a security incident.  On November 12, 2011, the laptop was stolen from an "ADP associate" at his home.  The computer was encrypted, as machines with corporate data related to personal information ought to be.

However, "there is a possibility that both the encryption and log-on password could have been compromised."  What this means specifically, the letter did not disclose.

Usually, passwords are compromised via the all-too ubiquitous sticky-note.  When one's password is long and complex enough, people tend to write it down.  Since this password is important, it generally tends to occupy that one note (you wouldn't want a password to be obscured by phone numbers, people's names, doodles, etc.).  That one note tends to be a Post-It.

I figure that what happened is that the thief was grabbing the laptop, there was a Post-It in the vicinity which attracted the thief's attention (they're yellow for a reason), he saw it was a password, and grabbed it as well.  (Incidentally, do you know why Post-Its are yellow?  Many think that it's so it will stand out.  Not so.)

Regardless of how it actually happened, information pertaining to AW Hastings was compromised.

Which is interesting because ADP filed the letter with the NH AG.

Most States Require Data Owners to Report Breaches

Why is it interesting that ADP filed the report?  Because most state and federal laws assign the responsibility of protecting data to the original owners of the data.  This responsibility also means that the data owners are the ones that notify any agencies and organizations in compliance with the law.  Furthermore, it's argued that when an unknown third party sends a breach notification letter, those who are affected by a breach are more than likely to junk that letter unread, believing it to be marketing materials (i.e., junk mail).

Take a recent example: when TRICARE had a data breach, it was TRICARE that notified the media and affected people, despite the fact that the actual breach was by SAIC.  Had SAIC sent those letters, people might have not paid attention to it.

Of course, for the AG, an exception can be made.  I guess.  After all, what's important is that the AG be notified of the situation, and I can't imagine that the Attorney General's office gets too much junk mail.


Related Articles and Sites:
http://doj.nh.gov/consumer/security-breaches/documents/aw-hastings-20111208.pdf

 
<Previous Next>

Solicitorsfromhell.co.uk Breaches UK Data Protection Act: Information Needs To Be Accurate

Drive Encryption Software: Stone Oak Urgent Care & Family Practice Computers Stolen

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.