The UK firm Twist & Shout reports that one of Santa Claus’s key databases has been compromised due to the loss an unencrypted USB stick at the Kris Kringle North Pole workshop.
Santa Gets Hacked! from Twist and Shout on Vimeo.
National Public Radio (NPR) reports that British Petroleum’s (BP) problems in the US now includes a data spill as well as the oil spill. BP is paying compensation amounting to $4,000,000,000 to victims of its mishap incident disaster in the Gulf of Mexico last summer.
Now BP has lost the personally identifiable information (PII) on approx. 13,000 of its victims who are seeking compensation for oil spill damages. NPR reports that names, addresses, phone numbers and social security numbers, were lost opening these people to identity theft.
BP spokesman Curtis Thomas told NPR that the oil giant mailed letters to roughly 13,000 people whose data was stored on the missing computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored. The company also reported the missing laptop to law enforcement, he said. The laptop was password-protected, but the information was not encrypted, Mr. Thomas said.
The employee lost the laptop on March 1 during “routine business travel,” said BP”s Thomas, who declined to elaborate on the circumstances. “If it was stolen, we think it was a crime of opportunity, but it was initially lost,” Thomas said. Asked why nearly a month elapsed before BP notified residents about the missing laptop, Mr. Thomas said, “We were doing our due diligence and investigating.”
Matt O’Brien, part owner of Tiger Pass Seafood, a shrimp dock in Venice, La., who said he had filed a claim with BP, told an AP reporter this was the first he had heard about the possible compromise of his personal information by BP. “That’s like it’s par for the course for them.” Mr. O’Brien said of BP, “They can’t seem to do nothing right.”
Once again, 13,000 lives are disrupted because a single laptop which was not encrypted, was lost or stolen “during routine business travel”. Sophos‘ Naked Security blog pointed out in 2008 that laptops are easy to lose. The security vendor cited a survey which found that 12,000 laptops are lost every week at US airports alone. The trend h
In that 2008 survey, almost three years ago now, 53% of people said that their laptops contained confidential business information, with two-thirds having taken no measures to secure their data. Clearly, some companies still aren’t taking proper measures.
RB-
As BP again has demonstrated, we all need to lift our game, As Sophos says, even if your organization is willing to take risks with your own data, firms have a clear moral duty not to take risks with data you keep about other people.
During these economic times, many organizations are saving a few pennies by doing as little as possible about encryption-related security. Why not consider the value of encryption to your business, instead of considering only the cost?
What do you think?
Oil spills, Data spills, Outrageous gas prices – Is BP out to get the US?
How secure is your customer data?
The politicians in Washington have politicized the data breach threats posed by copiers. I have written about the threat here and here and now the Federal Trade Commission (FTC) is joining in. The FTC claims it is reviewing concerns that digital copy machines retain sensitive information and the Commission is reaching out to retailers and government agencies to safeguard users’ private data.
FTC Chairman Jon Leibowitz recently said in a letter (PDF) to Rep. Ed Markey (D-MA) that the agency has launched an education campaign around informing users of copy machines, The FTC will try to educate users that copier hard drives keep critical information such as financial and health data. Unless this data is dealt with correctly, it creates a regulatory threat (SOX and HIPAA), Identity thieves can access the data kept on the machines, particularly as copiers are resold without wiping clean hard drives.
“Like you, we also are concerned that personal information can be so easily retrieved by copiers, making it vulnerable to misuse by identity thieves,” Leibowtiz wrote.
The privacy implications of digital copy machines stem from a report by CBS that showed copiers were essentially acting as computers, with hard drives data being circulated among several parties as copiers were resold. Markey had called for an investigation into the issue.
rb-
I know I fell better this risk now that the politicians and a federal bureaucracy is looking after my best interests.
Brian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center , a San Diego based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed or improperly disposed of.
The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.
“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them, because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course, because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”
Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.
Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers, and in some cases state authorities. Concerned about the mounting costs of complying with so many different state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breached is in electronic or paper form.
rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.
