|
Education > "Learning
From Others"
These kinds of incidents can happen in even
the most organized security environment. But they are much
more likely in un-organized ones, where the basic rules of
security are not followed.
•
• • • •
DATE
REPORTED: June 2006
ORGANIZATION:
American Insurance Group (New York, NY)
DATA
LOST: Names, social secuity numbers and medical history information.
DATA
SUBJECTS: 930,000 persons who applied for or received supplemental
medical insurance coverage.
CAUSE:
Server computer stolen from office.
LESSON:
Never take physical security for granted. Even datacenters
can be subject to thefts. In this case, the server was "password
protected" though it is not clear if the information
on the server was encrypted. (Probably not, given the notices
the organization is sending out.)
•
• • • •
DATE REPORTED: June 2006
ORGANIZATION: Ernst & Young
(UK)
DATA LOST: Names, addresses
and credit/debit card information.
DATA SUBJECTS: 243,000 Hotels.com
customers.
CAUSE: Employee laptop stolen
from car.
LESSON: It is never a good
idea to store large quanties of sensitive information in unencrypted
form on a laptop that must be used/stored in an insecure environment.
This laptop evidently had an access password in place, but
did not use encryption. As of May 31, all E&Y employees
were required to use passwords and encryption on all laptops.
This incident occured on May 3.
•
• • • •
DATE REPORTED: May 2006
ORGANIZATION: Department of Veterans Administration
(Washington DC)
DATA LOST: Names, Social Security numbers,
dates of birth and (in many cases) phone numbers and addresses.
DATA SUBJECTS: 28,650,000 veterans (discharged
since 1975) and active duty military personnel.
CAUSE: Theft of laptop from VA employee's
home. Laptop files were unencrypted.
LESSON: Large quantities of sensitive information
should not be taken off-premises, or indeed stored on any
device that can be stolen, regardless of where it is located.
If you must do this, strong encryption mechanisms for the
device containing the data are absolutely essential.
In this case, it cost the employee and two of his supervisors
their jobs. It'll also cost taxpayers hundreds of millions
of dollars to follow up on the breach.
•
• • • •
DATE REPORTED: May 2006
ORGANIZATION: Texas Guaranteed
Student Loan Corporation (Round Rock, TX)
DATA LOST: Names, social security
numbers.
DATA SUBJECTS: 1,300,000 borrowers.
CAUSE: Lost storage device.
LESSON: You have to protect
every copy of your data, and that requires security by everyone
who has access to copies. The lost data was encrypted and
password-protected, but subsequently decrypted and stored
on the now-lost hardware by a third-party contractor hired
to implement a document management system.
•
• • • •
DATE REPORTED: March 2005
ORGANIZATION: University of
California (Berkeley CA)
DATA LOST: About a third of
the records contained dates of birth and or addresses as well
as Social Security numbers and names.
DATA SUBJECTS: 98,000 persons
who applied to or attended UC-Berkeley's graduate school between
1976 and 2004.
CAUSE: Laptop stolen from unattended
office during lunch hour.
LESSON: Offices aren't 100
percent secore -- indeed, many are not very secure at all.
And it only takes a security lapse of a few seconds to allow
a laptop to be stolen.
•
• • • •
DATE
REPORTED: February 2005
ORGANIZATION:
Bank of America (Charlotte NC)
DATA
LOST: Customer and account information for charge card program.
DATA
SUBJECTS: 1,200,000 federal employees who participated in
the charge card program.
CAUSE:
Loss of backup tapes in transit to off-site storage location.
LESSON:
Any sensitive data on the move should be encrypted whenever
possible. Otherwise one is completely dependent on the physical
security of the off-site location and of the transportation
process to and from it. Given enough time, and enough tapes,
sooner or later something is going to get "lost."
•
• • • •
This is only a partial list. For an excellent
chronology of recent information security events, see Privacy
Rights Clearinghouse's A
Chronology of Data Breaches since the ChoicePoint incident
(2005-2006).
Last modified:
20-Jun-2006
|
