Log in

Posts Tagged ‘Information Loss’

Officials Defend their Response to Security Breach

December 11th, 2010

: Security Breach in London

Recently an incident of massive security breach happened in London area school board. Two senior education officials said that many lessons can be learned from this breach that exposed 27,000 student passwords on the Internet.

How Did Security Breach Take Place

One of the senior officials Bill Tucker, who is education director at the Thames Valley District School Board, his website was hacked in the October attack. As a free press investigation published on Saturday revealed that it took the school board more than 12 hours to call police about the breach, the board’s top official defended its response.

Tucker said on Sunday that,”I’m absolutely comfortable with the way senior administration responded to the breach, we found out late in the afternoon (Oct. 20), the student portal (on the board’s website) was shut down, police found out the next morning and at no time was student safety at risk”.
“Any e-mails going around were copied to me and I insisted on face-to-face meetings (with administrators handling the breach) because the situation was so serious”. He said, “It’s been a learning experience for the board, as a school board, we’ve learned many lessons”. For instance, when we are looking at the encryption of new codes, we need to get on top of it a lot faster, in terms of adapting to new technology.

Obtained emails show that while administrators knew before 9:30 p.m. on 20th Oct. that the board’s website had been hacked and that passwords for more than 27,000 high school students had been posted on facebook hours earlier, the board was not alerted the police until 9:30 a.m. the next day.

Security Risks of Breach

There were immediate security risks because many high school students use their passwords for other purposes, like banking and other online accounts. But that’s not how some Thames trustees sees it.

Officials Defending Response:

New board chairperson Tracy Grant wrote in an e-mail response through facebook that “our administration did react swiftly to the breach, immediately shutting down the portal and ensuring the security of the system, most people are aware that they should personally guard their passwords and not use the same password for different applications – I think our students are particularly aware of the importance of changing and protecting their passwords”.

Grant did not respond to a request for clarification or provide a contact phone number but pointed out London police began a so called Code 3 response to the situation, “indicating it was not of highest priority”.

Arlene Morell, a parent who heads the board’s parent involvement committee, said that the primary concern should always be the safety and protection of all students. “And I believe it was, freezing, shutting down and whatever they can do internally to ensure the protection of students was safeguarded,” she said.

Data breach is the unintentional release of secure information to an untrusted environment so the protection of data (information security) is very important.

How Alertsec Xpress Would Have Helped:

In an incident which highlights the need of a data security and recovery software, the threat could have simply be reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

School board to upgrade security after 27,000 student passwords hacked (theglobeandmail.com)
Teen charged after 27,000 student passwords posted (thestar.com)

No comments »

Posted in data breach

Tags: data data breach data security Information Loss London Password security Student

You need more than a blue shield to secure data

October 30th, 2009

Earlier this month we wrote about breaches of medical data in the United Kingdom, but in these past few weeks the US medical community has been stunned by two major security breaches related to Blue Cross Blue Shield.

The Blue Cross and Blue Shield brands are the United State’s oldest and largest family of health benefits companies and are among the most recognized brands in the health insurance industry. They are the largest health benefits provider in America, serving 100 million people, or approximately one-in-three Americans.

However, a great brand and a long history did not do anything to protect Blue Cross and Blue Shield from these two security breaches.

Information on 850,000 Physicians was stolen

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Association employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.

Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant encrypts all the information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The employee’s personal laptop was stolen after the employee left headquarters with it.

Smokler said corrective action has been taken, but declined to elaborate. This ties directly to our earlier article on security of healthcare data where we noted:

It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important. Unless the fines and implications are severe - this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.

It’s for this reason that Blue Cross Blue Shield should publicize the steps taken against this employee. Other employees in the healthcare industry and beyond need to see that there are repercussions of violating data security procedures. The powerful American Medical Association which represents most of the 850,000 impacted doctors has 6 asked the BlueCross BlueShield Association to meet regarding the data breach – so this story is far from over.

68 Blue Cross Blue Shield Hard Drives Stolen

In addition to reports of the missing laptop with from the national headquarters Blue Cross Blue Shield of Tennessee has announced the theft of 68 computer hard drives. Over the weekend of Oct. 2nd, unauthorized persons entered a data closet in a remote location that BlueCross BlueShield of Tennessee leases for training purposes and removed 68 hard drives. The stolen hard drives contained voice recordings of eligibility and coordination-of-benefit calls.

While BCBS has not specifically stated whether the drives were encrypted, they commented that “the retrieval of member data from these drives would require highly-specialized expertise and software.” The other term that was used was “encoded.” This tells us that while some of the files might have been secured and the data might be hard to retrieve, the drives were not protected by hard drive encryption.

One has to wonder – how many times will records have to be stolen, before companies in the healthcare industry step up and encrypt. Sure, we all know the economy is tough and money is tight – but today encryption is quite affordable.

2 comments »

Posted in Data Protection, Encryption

Tags: AlertSec Xpress breach notification breach notification laws data breach Data Breaches data encryption identity theft Information Loss laptop encryption medical

Laptop Safety Tips

October 13th, 2009

While we normally focus on encryption, so many of our articles discuss laptops and many of our readers deal with laptops every day. So today we thought we would share tips for safety when you leave home with your laptop. Obviously, encryption is the number one step – but there are other tips:

Laptop and International Travel Tips for Laptops

If your laptop is new, take receipts – you don’t want your local customs charging you when you return, thinking you bought it abroad!
Don’t forget to take a voltage adapter on your laptop, as well as preparing a power plug adapter
Make a back-up of all your data before you leave the country
It is highly unlikely, but possible that a customs officer decides to search your laptop as you bring it into this other country So you should be sure that your hard drive doesn’t have anything that it shouldn’t. This includes pornography as the definition of what is or isn’t porn varies by country. Also, if you work for a security or defense type firm realize that information that appears normal to you, could be considered espionage by an overzealous customs officer.
Also unlikely, but you may be required to decrypt any encrypted files for customs.

School and Library Security Tips for Laptops

Permanently mark your laptop with your contact information – this may deter thieves, since it makes resale more difficult. Also consider pasting the laptop with stickers.
Use a generic backpack and not a custom laptop bag – a backpack may not be as obvious to thieves that a laptop is inside.
Don’t leave your laptop unattended at your feet in a bag. If you should become distracted or fall asleep your laptop is easy game – consider setting an alarm on your PC if you are tired to avoid this risk.
When using public wireless connections, be wary of logging into sites as passwords could be made available to others!

In Flight Security Tips for Laptops

Plan ahead as to which luggage case will house your laptop. You don’t want to store your laptop in an overhead bin if it’s in a soft case.
Close and put away your laptop when meals are served so there’s no risk of a beverage tipping onto it – I have personally seen this happen twice. One time, my then six year old daughter learned many new and “interesting” words when the laptop owner was shrieking at the stewardess.
When you leave your seat, close your laptop and put it away or leave it on the seat, not the tray where it could more easily slip off during turbulence.

While laptops are essentially made for traveling – there are so many things you can do to ensure their safety. From the security of encryption to plain common sense on how you care for your belongings.

3 comments »

Posted in Data Protection

Tags: data theft prevention Information Loss information protection laptop laptop security laptop theft

Healthy People Maybe, Healthy Laptops No!

October 9th, 2009

doctor-laptop-security Three health trusts in the UK have had 30 data breaches in the past two years, according to reports. According to the BBC, Devon Primary Care Trust, Derriford Hospital, and Torbay Primary Care Trust have reported that they’ve had 30 breaches in total.

Yes, you read those numbers correctly – three organizations and thirty breaches.

The lost information included patient data which may have included NHS numbers, names, medical conditions, and other information, depending on the breach. The losses included laptop thefts and the theft or loss of memory sticks with sensitive data. In no cases were any of the devices protected with hard drive encryption software which could have easily eliminated any instances of a data breach from occurring.

Rest easy, They’ve Learned Their Security Lesson

According to the BBC, “all the health trusts which lost data said they had learned from the cases.” Of course, one has to ask why it took 30 breaches to then create an environment that looked for solutions! But the claim is that now all data is stored on secure servers and all staff have been issued with encrypted memory sticks and associated training. Plus each trust now has an official whose job was make sure information is secure.

A Trust spokesman was unable to say exactly when the theft occurred and if patients were told at the time, but in a prepared statement pointed out that at least some of the laptops had password protection. However, unlike encryption, password protection can be breached in many ways.

Hospital Laptop Safety

medical-computer-security As our recent article Data Loss is the Other Guy’s Problem pointed out, hospital are at high risk for data loss. Yet, they remain slow to adapt and slow to realize that services like Alertsec with hard disk encryption that are so affordable as easy to manage. I just did a Google search on “hospital data breaches” to quickly find reports like:

These losses tie to the fact that “Health care is a treasure trove of personally identifiable information,” says Don Jackson, a researcher at security consulting company Secure Works Inc. Most health-care organizations collect patient’s names, Social Security numbers and dates of birth. Plus they store payment information such as insurance and credit-card data. This is the holy grail for a thief in terms of financial opportunity.

It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important. Unless the fines and implications are severe - this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.

2 comments »

Posted in Encryption, Identity and Information loss

Tags: AlertSec Xpress breach notification breach notification laws data breach Data Breaches data encryption identity theft Information Loss laptop encryption medical

Data Loss is the Other Guy’s Problem

June 15th, 2009

Except for the very paranoid, one of the main reasons why companies don’t take steps to better secure their data and their PCs is that they never think that their company will be affected by the issue. The next company is a bigger target. That other company has a bigger risk. They have already invested enough in security measures.

To test that theory, I took a look at the Data Loss Database managed by the The Open Security Foundation (OSF). Every day, their project curators and volunteers scour news feeds, blogs, and other websites looking for data breaches, new and old. We search for incidents that need to be updated, or incidents that are not yet in the database. So while they collect data – clearly they do not have the ability or bandwidth to locate information on all data breaches. Their reports clearly are undercounting the nature of this issue.

However, it is a great sample to illustrate the breadth of the data security issue. Lets look at the 20 reported incidents from May 2009. What companies were impacted? What types of companies were impacted?

Information Company
Community College
Not-for-profit religious organization
Government Agency
Hospital
University
Government Agency
Government Agency
Car dealership
Government Agency
Government Agency
Health Insurance Company
School
Financial Institution
Union
Financial Business
Electronics Manufacturer
Internet Store
School
Insurance Company

Sure Government agencies and Insurance companies are high on the list. But a car dealership has driver’s license information, home addresses and financial data. A Union has customers – all it’s members and they have addresses, social security numbers and more. A not for profit – clearly not an organization with deep pockets for technology – but encryption is affordable compared to the potential losses.

If you have computers and you have consumer customers – you have the risk of having information breached. You may think this is a problem for “some other company” but the reality is that it is an issue for every company. We’re just showing the industry – but the actual company names are available on the Open Security Foundation database. Consider the low cost of data encryption versus being on the above list.