in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: Petco Data Breach Caused By Audit Firm, Content Encrypted

The Boston Globe made a pint-sized mention of how Petco Animal Supplies Inc suffered a data breach when an outside firm lost five laptop computers.  For a good reason, too: according to the Globe, the information on current and former Petco employees was encrypted.  Laptop encryption like AlertBoot is one of the easiest ways to ensure compliance with laws and regulations governing data security -- while actually protecting data on lost devices for unauthorized outsiders.

But there is more (less?) than meets the eye in this case.

Audit Firm's 5 Laptops Stolen

Petco was notified that five laptop computers used by outside auditors to audit the pet store's 401k plans were stolen from the outside firm's offices.  Personal information on current and former Petco employees were lost, including Social Security numbers.

Petco employs about 22,000 people.  One might assume the actual number of people affected must be higher, seeing how people retire...and there are plenty of them: Petco was founded in 1965.  The assumption would be erroneous, however.  According to the Petco memo:

personal information, including name and Social Security number, of all Petco associates who were issued a paycheck in 2010, as well as all associates who had a 401(k) account and received a distribution, or had a fee deducted from their account, in 2011.

The Boston Globe reports that the devices were encrypted, which makes sense: although not named, one assumes that the auditors must have been a notable group due to the size of the Petco; they had a "brand," if you will.  Such companies have upped their data security measures in order to ensure that loss or theft of data does not cause bad PR.

Furthermore, the use of encryption software has a pragmatic value: most US states that have passed data breach notification laws provide safe harbor from notifying the public if encryption, usually strong encryption, is used to safeguard the data.

However, there is a caveat in this case.

Smells Like File Encryption

According to sandiegoreader.com,

"Furthermore," the company says, "the laptop compuers [sic] were protected with a strong password," and the sensitive information was "contained in a software program that is protected with an encrypted password.

The implication appears to be that disk encryption was not used in this case.  Rather, some sort of partition encryption software or folder encryption software was used to secure the data.

This is both a good thing and possibly a bad thing.  The good thing: this type of encryption is effective.  However, they have a particular failing due to the way computers work.  Namely, there is always a chance that data was temporarily written somewhere outside the encryption-protected areas.

"Temporarily," unfortunately, doesn't mean what you'd normally expect it to mean.  "Temporary data" is no different from "permanent" data except that it's not marked as permanent.  This means that the computer can, at its discretion, write over the temporary data whenever it wants.  It also means the data could remain in place for years -- it's really up to the computer and the computer user's data storage patterns.

Long story short: a little extra effort could mean that some data will be breached, since it's not within the encrypted area.

Petco Dilly-Dallies, Too

Evan Schuman at storefrontbacktalk.com raises a curious observation:

By the way, there was an interesting line in the Petco memo: "On Tuesday, July 3, 2012, the outside auditor of Petco's 401(k) Plan informed us that five laptop computers had been stolen from their offices during the weekend of May 18-20, 2012. We are seeking an explanation from the outside auditor's office for the lapse of time in informing Petco of this incident." So Petco learned of this situation on July 3 and yet didn't tell employees until July 28? Is Petco also seeking an explanation for its own delay?

The point of breach notifications is, of course, timely notification to those who are affected so they can do something about the data breach.  Based on what I'm seeing here, the auditor's delay is about two weeks...and Petco's is over three weeks.

But then, Petco could have been waiting for the auditor to send them details.  The auditor has a duty to alert Petco of a data breach ASAP, not provide all details ASAP.


Related Articles and Sites:
http://storefrontbacktalk.com/securityfraud/petco-is-latest-victim-of-the-all-too-common-data-breach-via-stolen-laptop/
http://www.boston.com/businessupdates/2012/08/13/hundreds-mass-workers-exposed-petco-data-breach/6euDBbRaXPrdjKpVuSdJkK/story.html
http://www.sandiegoreader.com/weblogs/news-ticker/2012/aug/09/petco-security-breach-five-laptops-with-social-sec/

 
<Previous Next>

Ransomware: FBI Alerting Public About Computer Extortion Scam

Mobile Device Security: How To Find Stolen Devices

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.