in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

December 2017 - Posts

  • 24,000 Affected After UNC Health Care Desktop Computer Stolen

    We're on the cusp of 2018, yet data breaches that smell like 2008 are still making an appearance. According to various news outlets, UNC Health Care has announced a data breach that involved approximately 24,000 patients when a computer – a desktop computer – was stolen during a break-in.
    The breached data:
    …includes names, addresses, phone numbers, employment status, employer names, birthdates and Social Security numbers, said UNC Health Care, adding that it does not believe any treatment, diagnosis or prescription records were kept on the computer other than diagnosis codes used for billing. [bizjournals.com]
    That last part may be somewhat comforting, but SSNs, names, addresses, and birthdates… that information can be easily used for fraud, as pretty much everyone knows.

    Acquisition Headaches?

    It's hard to believe that an institution the size of UNC Health Care can still be embroiled in a data breach that involves an unencrypted desktop computer. It's been years since HIPAA regulators showed that they mean business when it comes to data breaches involving private health information (PHI), via the issuance of fines and other penalties.
    As a result, many HIPAA covered entities have gone a long way towards ensuring that they've at least fulfilled the minimum security requirements, which generally involves the use of full disk encryption for computers and laptops. Had the computer in question been encrypted – which it's safe to assume it wasn't, per the media coverage surrounding it – it would have been a non-event; tantamount to losing, say, a chair.
    On the other hand, when you see that UNC Health Care is a network of hospitals, and realize that such fragmentation brings its own challenges when securing data, perhaps it's not so surprising.
    And yet, safeguarding PHI, even in such situations, is not impossible. With the proliferation of wireless and mobile internet, logistical nightmares of years past are far from insurmountable. Deploying and installing disk encryption on endpoints, even those that never come in from the field, can be done quite easily.
    But, there's a twist here. Apparently, the building from which the computer was stolen was a relatively new acquisition, which tends to bring it's own set of problems:
    A break-in at the UNC Dermatology & Skin Cancer Center in Burlington resulted in the theft of a computer …. The center – formerly known as Burlington Dermatology Center or Burlington Dermatology – is located on Vaughn Road and was acquired by UNC Health Care in 2015. [chapelboro.com]
    For a lot of people, that last figure, 2015, would likely prevent them from giving UNC Health Care the benefit of the doubt on whether they were negligent regarding PHI security. Even if the acquisition had taken place in December of 2015, they had nearly two years to do something regarding the security of digital data. It's especially egregious when you consider that:
    UNC Health Care … ensured that all remaining computers acquired from, or kept for use by Burlington Dermatology have been properly secured. UNC Health Care has also implemented process improvements to ensure that future acquisitions of physician practices include a process to properly secure legacy computers and electronic patient information. [wfmynews2.com]
    The break-in occurred on October 8. The above statement was present in wfmynews2.com's article dated December 8. They managed to secure in two months what they did not in two years?

    Granted, it looks like they missed the boat because they had not set a process "to ensure that future acquisitions…include a process to properly secure legacy computers"… but why didn't they? Based on their patchwork of hospitals, it feels like Burlington is not their first acquisition. So, one imagines that they should have had something per HIPAA's Administrative Safeguards, where

    "…a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level."
    And if not, then there is the HIPAA Physical Safeguards, where
    "…a covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI)."
    And if not, then there is the HIPAA Technical Safeguards, where
    "A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI."
    (Per the government's HIPAA site).  
     
    Related Articles and Sites:
    http://www.newsobserver.com/news/business/article188757969.html
    https://chapelboro.com/news/crime/unc-health-care-notifying-patients-potential-privacy-breach
    https://www.bizjournals.com/triad/news/2017/12/08/unc-health-care-computer-stolen-from-triad.html
    https://www.databreaches.net/24000-unc-health-care-patients-affected-by-potential-security-breach/
     
  • Uber Being Investigated For 2016 Data Breach

    Uber, the ride-sharing Silicon Valley unicorn, is… still in the news. They say that all publicity is good publicity – even the bad ones – but Uber is really taking that saying to its limits, it seems.

    This week, it was revealed that the company had been hiding a massive data breach that occurred over a year ago. The breach involved personal information including names, email addresses, and phone numbers of 57 million customers worldwide. In addition, driver's names and their license numbers were illegally accessed as well (7 million in total; 600,000 drivers in the US alone). According to bloomberg.com,

    Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
    Unsurprisingly, many states – including Illinois, Massachusetts, Missouri, New York, Connecticut, and Washington – have announced an investigation into the matter. Data security regulators in other countries have done the same.  

    A Checkered Past

    It was just this past August that Uber agreed to a settlement with the FTC, closing a probe into how Uber misled customers regarding its privacy practices: the company allowed employees to access riders' personal information, including the details of trips, via a tool called "God View." The problem was described by some as a "lapse" in the ride-hailing company's security practices.

    In addition, the company had to deal with a data breach (smaller than the one being discussed here). The FTC looked into the issue and concluded, per recode.net:

    For years, Uber stressed it had taken great steps to protect its driver and rider data — all stored using Amazon’s cloud service. Until 2015, however, some of that information was saved as "clear, readable text, including in database back-ups and database prune files, rather than encrypting the information," the FTC said.

    The end result? Uber agreed to 20 years of oversight, the implementation of a comprehensive privacy policy, etc. The usual stuff that Big Tech companies agree to. An "onerous" slap on the wrist.

    (However, as recode.net points out, the settlement hasn't been finalized. The FTC must vote on it, and some lawmakers had urged the FTC to increase the penalties, perhaps even open a new investigation based on what the probe had revealed. This was before the latest revelation).  

    Hackers Bad. Lawyers Even Worse?

    When Bloomberg broke the news about Uber's latest transgression, two people were fired, including Uber's Chief Security Officer, Joe Sullivan. When approached by the hackers, Sullivan and Craig Clark, a lawyer with the company, made the decision to pay the attackers $100,000 to delete the data and to stay quiet about the incident.

    While none of that is illegal – paying off the hackers, asking them to be quiet, the hackers actually keeping quiet, and the hackers deleting the data they had acquired – what Uber did afterwards is.

    The US has 48 separate data breach notifications laws. Most of them are similar. For example, most have a specific definition of what "private data" is and is not, and generally require a notification to be sent within 60 calendar days of discovering the breach. Also, they provide safe harbor from notifying clients after a data breach if the data was encrypted.

    Unfortunately, not all states offer the same protection, meaning that if your business is big enough, you're going to have to come clean anyhow: while people may be willing to believe that a Brooklyn-located mom-and-pop store's data breach affected New York residents only, it'd be very unusual that only New York residents were affected by a Uber hack. So, it makes no sense to announce a data breach in New York only (assuming New York does not provide encryption safe harbor) because people excel at adding two and two together.

    In addition, the European Union has very extensive privacy safeguards in place, and data breach notifications, at least to regulators, are de rigueur. So, again, if your business is big enough that it traverses your home country's natural borders, then you're going to have to fess up. Because people also excel at adding deux and deux together.

    When Sullivan and Clark decided to conceal what had happened, they broke… the same law, essentially, oh-so-many-times. The fact that lawyers decided to take this approach (Sullivan, the unseated CSO, was a federal prosecutor earlier in his life) is surprising à la Schrodinger's meow – that is, knowing what we do about Uber, surprising and unsurprising at the same time.

    Things appear to be changing now that someone new is at the helm; otherwise, we may never have learned of the breach. And yet it feels as if the corporate miasma will take a while to disperse (from thenewstribune.com):

    In a letter to Washington Attorney General Bob Ferguson's office last week, an Uber attorney wrote that the company "now thinks it was wrong not to provide notice to affected users at the time" [of the 2016 Uber data breach].

    Really? Now they think it was wrong?

     

    Related Articles and Sites:
    https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
    http://searchsecurity.techtarget.com/podcast/Risk-Repeat-Uber-data-breach-has-implications-for-infosec
    http://www.thenewstribune.com/news/local/article187221548.html
    https://www.recode.net/2017/11/22/16690556/uber-data-hack-57-million-state-investigation