Posts Tagged ‘prevent data leakage’

HHSBC – Unencrypted Data on Open Shelves, in the Post and With Couriers!

August 23rd, 2009

hsbcKudos to the United Kingdom and their Financial Services Authority (FSA).  The FSA is an independent body that regulates the financial services industry in the UK.  They have been given a wide range of rule-making, investigatory and enforcement powers and they just fined three HSBC firms more than £3m for failing to adequately protect customers’ confidential details from being lost or stolen.

HSBC and unencrypted data

These fines are not for a small or one time incident – but for ongoing failure to ensure the security of confidential data.  Just look at this list of issues.

  • “Large amounts” of unencrypted customer details had been sent via post or courier to third parties.
  • Confidential information about customers was also found left on open shelves or in unlocked cabinets
  • In April 2007, HSBC Actuaries lost a floppy disk containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.
  • In February 2008, HSBC Life lost a CD containing the details of 180,000 policyholders.

It should come as no surprise that the FSA found that HSBC staff had not been given sufficient training on how to identify and manage risks such as identity theft.  The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

Financial Services Authority and Data Safety

Unfortunately this is not a unique step as in the last four years, the FSA has fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

Fortunately, the FSA has been empowered to take action!  Highlighting the teeth that the FSA has been given, the three HSBC firms agreed to settle at an early stage of the FSA’s investigation and therefore received a 30% discount.  They could have been fined another £1,500,000!

All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals – Margaret Cole, Financial Services Authority

FSA Principle 3 states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.  HSBC obviously failed to met this standard and Clive Bannister, group managing director of HSBC Insurance, said: “We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret.

The FSA is asking for even more opportunities to impact companies that are lax with security protocols.  They want to ensure that fines better reflect the scale of the wrongdoing and that any profits made from the breaches are reduced.  Under the new proposals, fines will be linked more closely to income:

  • Up to 20% of the company’s income from the product or business area linked to the breach over the relevant period
  • Up to 40% of an individual’s salary and benefits (including bonuses) from their job relating to the breach

Now, maybe if more regulatory agencies around the world took action like the FSA we would actually see a world where data is actually safer and companies are routinely encrypting their drives.

6 comments »

Posted in Encryption, Identity and Information loss

Tags:

Accountants, HR Staff and No Encryption – Oh My!

August 18th, 2009

lockedIt seems so obvious to us that anybody with a laptop should have file encryption, but obviously we are more than casual believers.  However, we have to wonder about companies that are allowing Human Resources and Finance staff to put massive amounts of data on laptops.  Certainly for folks in these positions, file encryption should be an obvious requirement – or as these tales will reveal – maybe not!

HR laptops sitting in a car

Williams, a 101-year-old natural gas producer and distributor, has 4,400 employees company wide.   In late July a Williams laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a car in Tulsa, Oklahoma in the United States.  The passenger-side window of a Williams employee was broken and the laptop, which was in a black bag, was stolen.

Company spokeswoman Julie Gentz said that the computer contained names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007.   Obviously there is more than enough information in the laptop files to allow any semi-knowledgeable criminal to carry out fraud without the actual person being aware of it.

While the laptop was password-protected, it did not make use of hard disk encryption software like AlertSec.  A letter issued Friday to all employees by Stephanie Cipolla, vice president of Williams Human Resources, indicated that unauthorized access is possible, despite their existing security measures.   It seems like after the fact, everybody is willing to admit that security holes and issues exist – but that is way too little and way too late!

Just because you are 101 years old – does not mean you know how to safely run a business!

National Security AND Laptop Security

The US Army National Guard does a fabulous job protecting Americans and their allies around the globe.  But, they can’t keep their own members safe!  The Army National Guard is reporting a July 27th data breach via an unnamed contractor whose laptop was stolen.  About 131,000 former and current Army Guard members could be affected by the data loss, which occurred July 27  when a personal laptop owned by an Army Guard contractor was stolen, said Randy Noller, a spokesman for the National Guard Bureau.

The Army Guard will inform those Guard members who are determined to be impacted by this incident by mailing a letter to them, Noller says. The National Guard Bureau has set up a web page and the Army Guard will have a toll-free call center  featuring up-to-date news and information on the data compromise.  So in the end they will probably wind up doing more work than if they had simply had the hard drive on the laptop encrypted!

Why would a contractor, or anybody, need data on 131,000 guard members on their laptop!

3 comments »

Posted in Encryption, Identity and Information loss

Tags:

Security Layers – Never too much

August 13th, 2009

server-roomWhen we talk about encryption we often focus on laptops and desktops in public areas – computers that are at high risk of loss or theft.  However the UK Ministry of Defence published details of its data loss incidents for 2008 and this report shows that while you think your nice shiny server room is protection enough – think again!.  The Ministry of Defence reported the loss of an entire server from an apparently secured government building, and the loss of 1.7 million individuals’ personal data.

This loss occurred in September 2008 when it was apparently discovered that ” a server was missing following the closure of a secured government premises”.  The report goes on to provide details of the data which are described as “names, addresses, details and service numbers or National Insurance numbers and medical records relating to around 700 individuals – 200 of which are reported to be active records.

Security layers

This instance is one more example of why you need a combined, layered approach to data security.  While you start with security around physical obstacles, doors and locks, you have to also include information security programs like hard drive encryption software from Alertsec.

Often when laptop computers go missing, you have a quote from a security expert that sensitive data shouldn’t be on laptops.  Instead, they note, secure data should only be on servers that are under key and lock, and are guarded.  Well, as the Ministry of Defence discovered – the server is, by itself, not the best defence!

Size does not matter when it comes to security

sr1500-8A server has no  special properties that will prevent it from becoming stolen.  While many people think of servers as big computers, like the mainframes of olden days, the reality is that any computer can act as a server, including laptops.  Even if you use equipment designed specifically as servers, that equipment is shrinking in size everyday.

While server room physical security should be enough, you have to consider if the servers can easily be transported and you have to consider what will happen to the servers when they are decommissioned.  Encryption software is not just for laptops – but for any computers that store sensitive data regardless of how many layers of security you think you have in place.

On servers you can use encryption software that might be more complicated to administer – but your system administrators can handle that.    On laptops and desktops you want to focus on encryption software that is easy to setup and maintain.

As the Ministry of Defence proved – your data can’t be too secure.

No comments »

Posted in Data Protection, Encryption

Tags:

Educating Educators to Secure Their Data

July 31st, 2009

school-computersAny organization or business that has computers should be securing their data.  However, that statement is even more true (if that is even possible) if your organization has computers that are accessed by a wide number of people.  A prime example is schools – from elementary schools to universities, school computers typically can be accessed by a wide range of people.

However, many schools also have restricted budgets and overworked staff and security is all too often not a focus.  Consider these recent examples in schools in the United States.

Laptops stolen from Springfield schools

Ten laptop computers were stolen from the Keifer Alternative School in Springfield, Ohio on June 30th.  These laptops all contained information about students with disabilities, but not social security numbers, Springfield City Schools Interim Superintendent Don Thompson claimed.  The school district sent letters home to parents of students who were affected following the theft.

The laptops belonged to employees of the district’s special education department, including psychologists. These employees had relocated from the South High School building to the Alternative school.  Clearly the new school didn’t have adequate physical security.  Having disk encryption installed on computers would have solved the data breach problem.  While the schools would have had the monetary loss, there would have been no loss of secure data.

Employee data stolen from school

Canyons School District officials in Utah are investigating the disappearance of a drive that very likely contained the personal information of more than 6,000 current and recent employees. The lost information includes addresses, phone numbers, birth dates and Social Security numbers.

The Canyons School District (CDS) is a new district in the state of Utah.  Originally part of another School District, CDS broke off on their own and was scheduled to go live this summer.  Work, however, is still in progress, with technical staff still installing computers and phones; installing wiring; etc.  Amidst this chaos, the drive was lost.  The drive should have been encrypted – which it might have been, the school actually has no idea if it was or not.

The district reported the incident to police. But absent evidence of foul play, police have no plans to investigate.  This is one more reason to secure your data – the support from law enforcement will be limited because often they have no evidence to work with in solving the crime and locating the data.  Full disk encryption secures the data even if the disk is removed and loaded into a controlled machine.  Now (also known as “too late”) the district is taking steps to safeguard sensitive information, developing new policies and procedures and building a secure network for file transfers.

Alertsec for Schools

Alertsec Xpress administration is designed to offer hassle-free deployment and set-up. Alertsec Xpress is pre-configured with a “best practice” setting to offer a secure, yet user friendly, implementation.  The low cost of Internet based encryption, combined with administrative ease makes it perfect for school systems!

1 comment »

Posted in Data Protection, Identity and Information loss

Tags: