Scotiabank Lost 3 CD’s

The Star is reporting that some Toronto clients of Scotiabank are concerned about possible exposure of their personal information after three CD-ROMs listing clients’ names, SIN numbers, registered account type and account numbers have gone missing.  The CD-ROMs were mislaid last Wednesday and the bank believes that they have been lost internally.  However, the bank is warning clients just in case, so that they can monitor their accounts and make sure there was no fraudulent activity.

The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information.  The parcel containing the three CDs went missing while in internal mail between two Scotiabank departments.  The number of people affected remains unclear.  Scotiabank would only say a “small percentage” of clients had their confidential information on the CD-ROMs.  In an email to the Star, Scotiabank confirmed the CD-ROMs were missing, calling the incident an “extremely rare occurrence.”  Based on thier investigation, they have no reason to believe that this incident puts customers at risk.

Scotiabank has strict processes and procedures in place to protect customer privacy and confidentiality.  I could find no information regarding whether or not the data was encrypted, so I must assume they were not.  I hope the CDs are found quickly, and there is no data exposure.

Health Net Breach Affects 1.9M

Managed health care provider Health Net has revealed that it lost the personal information of 1.9 million current and past enrollees, its second massive breach in 16 months.  In November 2009, the company lost a hard drive containing 1.5 million customer medical records.

Health Net provides health benefits to approximately six million people.  In this most recent incident, several server hard drives containing the personal information – names, addresses, health information, Social Security numbers and financial data – of former and current Health Net members, employees and health care providers recently went missing from its data center in Rancho Cordova, Calif.

Health Net began investigating the most recent incident after IBM, responsible for managing Health Net’s IT infrastructure, said it could not find the drives.  No word on whether or not the data was encrypted, but that generally indicates that it was not.  It sounds to me like someone had better be taking a long hard look at how hard drives and other media are handled, managed, and transported at this location, and by this vendor.  You rarely learn anything the SECOND time you are kicked by the same horse.

NY Hospital Data Theft Affects 1.7 Million

New York City officials have begun the process of notifying 1.7 million patients, staff, contractors, vendors and anyone else who was treated or that provided services during the past 20 years at 2 public hospitals in the Bronx.  The New York City Health and Hospitals Corporation said the theft could endanger the personal information of basically anyone who shared personal information with Jacobi Medical Center, North Central Bronx Hospital, or their many offsite clinics.

The stolen electronic records contained personal information, protected health information, and/or personally identifiable employee medical information.  HHC said in a statement that it “values and protects individuals’ privacy and confidentiality and deeply regrets any inconvenience and concern this may create for patients, staff and others affected.  The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data.”  Computer backup tapes were stolen on Dec. 23, 2010, from a truck operated by GRM Information Management Services that was transporting them to a secure storage location.  The theft occurred while the GRM van was left unlocked and unattended during other pickups.  GRM reported the incident to the police and dismissed the driver.  The tapes were not encrypted.

There is no evidence that the data have been inappropriately accessed or misused, HHC said.  However, HHC is providing information and one year of free credit monitoring services to anyone who may be worried about possible identity theft.

All the details are at http://www.healthcareinfosecurity.com/articles.php?art_id=3349

So, what are they doing shipping unencrypted tapes around?  How is it possible that a hospital could be so negligent?  Why do their unencrypted tapes contain data collected over  TWENTY YEARS?  Shouldn’t it be purged occassionally?  Oh, the legal fur is going to fly over this one.

GRC Management Solutions

As the security landscape continues to devolve, businesses will continue to adopt and implement security controls.  The earlier that a Governance, Risk and Compliance (GRC) Management tool is adopted by the business, the sooner overall compliance and security will improve, and the more likely security awareness will permeate the business culture.   GRC Management tools are designed to support and unify existing and new processes, such as:

• Asset management
• Configuration management
• Policy management
• Risk management
• Alert/Event monitoring
• Incident management
• Vendor management
• Business continuity & disaster management
• ID provisioning
• Access control management
• Privileged ID & password management
• Log management
• Regulatory compliance monitoring
• Records management
• Email management
• Security Awareness programs

Although these individual processes may exist within an organization, they are generally developed independent of one another as a need arises, lack the necessary links and feedback loops to support one-another, and remain operating in silos, disconnected and unaware of one-another.  The use of an over-arching GRC Management tool is what will link information from all of these activities together, providing the business with a clear, high level picture of their security, compliance and technical operations, while allowing drill down into the weeds when problems are identified.  By eliminating redundant activities, GRC management tools can reduce total compliance costs and enable business leaders to get high-quality, accurate and timely information to support better business decisions.

GRC done right presents a powerful foundation for security efforts, allowing for clear definitions of metrics, success parameters, vision into the risk items that the business needs and should be managing, as well as operational effectiveness, all in a homogenous and consumable format.  The key to success of the GRC management platform is its ability to extract, import and correlate data from multiple diverse sources.  It has been a while, so I believe that it is time once again for me to examine the vendors and offerings within this important niche. 

Continue reading →

Oracle – Game Changing Storage Announcement Coming

According to ComputerWorld, Oracle is poised to make a “game changing storage announcement” on January 31st. 

“We can’t tell you just how much this will improve your datacenter until the big event,” their website states, but customers will experience greatly reduced costs per terabyte as well as lower floor space.

I can’t wait to see what this vaporware turns out to be once it materializes.  I’m speculating that it has to do with replacing hard disks with NVRAM devices.  Warning, this speculation is 100% unfounded in fact.

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading →

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading →

DLP – Protecting What Matters Most

Data Loss Prevention (DLP) products exist to help organizations monitor and protect sensitive data.  This data could be customer information, credit card numbers, employee’s personal information, project plans, intellectual property, trade secrets, whatever the crown jewels may be.  If this data were to be lost or stolen, it could create significant legal liability, financial loss, security risks, as well as reputational and regulatory hardships.  DLP keeps sensitive data from falling into the wrong hands.  NetworkWorld has a collection of excellent DLP articles for those that are concerned with the topic.  Find the related items at the end of this entry.

You can put in place all of the intermediary policies and risk mitigating conrols from perimeter to storage server that you can afford.  One thing with technical security controls is almost certain,  a determined attacker will find a way to violate your strongest safeguards.  Filter web traffic and they resort to encryption and obfuscation.  Isolate sensitive systems from the Internet and they plug in a USB drive.  Disable USB support and they reboot a with CD.  Disable CD/DVD booting in CMOS and block the USB ports with super glue and they use a cellphone camera to snap a picture of sensitive material on screen.  Create a policy barring cameras and enforce it, and the attacker will reach for a pencil.  DLP is just shy of a silver bullet from my perspective in Incident Response.  It is a security control that if implemented and managed correctly, protects the data from inappropriate exfiltration. 

Continue reading →

3.3 Million Records Lost After Break-in

A Minnesota company that processes loans for students nationwide has reported a major theft of “personally identifiable information” involving 3.3 million students after a break-in last weekend at its Oakdale headquarters.  No bank account or other financial information was included in the data.

Chief executive Richard Boyle said the theft occurred from a secured location at ECMC and involved portable media containing student loan borrowers’ personally identifiable information.  The media was apparently removed from a safe.

StarTribune

Royal London Mutual Insurance Society Security Breached – Action Taken

The UK’s Information Commissioner’s Office (ICO) has found that after 8 laptops were stolen from the company’s Edinburgh offices, the Royal London Mutual Insurance Society was in breach of the Data Protection Act (DPA).  2 of the laptops contained the personal details of 2,135 people.  Those affected were employees of firms which had sought pension scheme illustrations.

The laptops containing personal information were unencrypted but were password protected.  This is a common mistake made by management and IT folks alike.  Password protection can be easily circumvented.  Usually moving the hard disk into another computer is enough, but there are also TOOLS available to those who have their minds set on accessing your PII.  An internal report showed that the company was uncertain about the precise location of the laptops at times, and that physical security measures were inadequate.  Managers were not aware that personal information was stored on any of the laptops, meaning no additional precautions secure the data had been taken.

The CEO has signed an Official Undertaking to ensure that portable and mobile devices are encrypted going forward.  The Undertaking also requires appropriate physical security measures to be put in place.  Learn a lesson from the mistakes of others.  Learn to sleep at night, adopt encryption on all mobile devices, and consider it for ALL electronic devices, PERIOD.  It is not a silver bullet for all of your security concerns, but it is definitely high-caliber ammunition!

ICO Enforcement