Scotiabank Lost 3 CD’s

The Star is reporting that some Toronto clients of Scotiabank are concerned about possible exposure of their personal information after three CD-ROMs listing clients’ names, SIN numbers, registered account type and account numbers have gone missing.  The CD-ROMs were mislaid last Wednesday and the bank believes that they have been lost internally.  However, the bank is warning clients just in case, so that they can monitor their accounts and make sure there was no fraudulent activity.

The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information.  The parcel containing the three CDs went missing while in internal mail between two Scotiabank departments.  The number of people affected remains unclear.  Scotiabank would only say a “small percentage” of clients had their confidential information on the CD-ROMs.  In an email to the Star, Scotiabank confirmed the CD-ROMs were missing, calling the incident an “extremely rare occurrence.”  Based on thier investigation, they have no reason to believe that this incident puts customers at risk.

Scotiabank has strict processes and procedures in place to protect customer privacy and confidentiality.  I could find no information regarding whether or not the data was encrypted, so I must assume they were not.  I hope the CDs are found quickly, and there is no data exposure.

Health Net Breach Affects 1.9M

Managed health care provider Health Net has revealed that it lost the personal information of 1.9 million current and past enrollees, its second massive breach in 16 months.  In November 2009, the company lost a hard drive containing 1.5 million customer medical records.

Health Net provides health benefits to approximately six million people.  In this most recent incident, several server hard drives containing the personal information – names, addresses, health information, Social Security numbers and financial data – of former and current Health Net members, employees and health care providers recently went missing from its data center in Rancho Cordova, Calif.

Health Net began investigating the most recent incident after IBM, responsible for managing Health Net’s IT infrastructure, said it could not find the drives.  No word on whether or not the data was encrypted, but that generally indicates that it was not.  It sounds to me like someone had better be taking a long hard look at how hard drives and other media are handled, managed, and transported at this location, and by this vendor.  You rarely learn anything the SECOND time you are kicked by the same horse.

NY Hospital Data Theft Affects 1.7 Million

New York City officials have begun the process of notifying 1.7 million patients, staff, contractors, vendors and anyone else who was treated or that provided services during the past 20 years at 2 public hospitals in the Bronx.  The New York City Health and Hospitals Corporation said the theft could endanger the personal information of basically anyone who shared personal information with Jacobi Medical Center, North Central Bronx Hospital, or their many offsite clinics.

The stolen electronic records contained personal information, protected health information, and/or personally identifiable employee medical information.  HHC said in a statement that it “values and protects individuals’ privacy and confidentiality and deeply regrets any inconvenience and concern this may create for patients, staff and others affected.  The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data.”  Computer backup tapes were stolen on Dec. 23, 2010, from a truck operated by GRM Information Management Services that was transporting them to a secure storage location.  The theft occurred while the GRM van was left unlocked and unattended during other pickups.  GRM reported the incident to the police and dismissed the driver.  The tapes were not encrypted.

There is no evidence that the data have been inappropriately accessed or misused, HHC said.  However, HHC is providing information and one year of free credit monitoring services to anyone who may be worried about possible identity theft.

All the details are at

So, what are they doing shipping unencrypted tapes around?  How is it possible that a hospital could be so negligent?  Why do their unencrypted tapes contain data collected over  TWENTY YEARS?  Shouldn’t it be purged occassionally?  Oh, the legal fur is going to fly over this one.

GRC Management Solutions

As the security landscape continues to devolve, businesses will continue to adopt and implement security controls.  The earlier that a Governance, Risk and Compliance (GRC) Management tool is adopted by the business, the sooner overall compliance and security will improve, and the more likely security awareness will permeate the business culture.   GRC Management tools are designed to support and unify existing and new processes, such as:

  • Asset management
  • Configuration management
  • Policy management
  • Risk management
  • Alert/Event monitoring
  • Incident management
  • Vendor management
  • Business continuity & disaster management
  • ID provisioning
  • Access control management
  • Privileged ID & password management
  • Log management
  • Regulatory compliance monitoring
  • Records management
  • Email management
  • Security Awareness programs

Although these individual processes may exist within an organization, they are generally developed independent of one another as a need arises, lack the necessary links and feedback loops to support one-another, and remain operating in silos, disconnected and unaware of one-another.  The use of an over-arching GRC Management tool is what will link information from all of these activities together, providing the business with a clear, high level picture of their security, compliance and technical operations, while allowing drill down into the weeds when problems are identified.  By eliminating redundant activities, GRC management tools can reduce total compliance costs and enable business leaders to get high-quality, accurate and timely information to support better business decisions.

GRC done right presents a powerful foundation for security efforts, allowing for clear definitions of metrics, success parameters, vision into the risk items that the business needs and should be managing, as well as operational effectiveness, all in a homogenous and consumable format.  The key to success of the GRC management platform is its ability to extract, import and correlate data from multiple diverse sources.  It has been a while, so I believe that it is time once again for me to examine the vendors and offerings within this important niche. 

Continue reading

Oracle – Game Changing Storage Announcement Coming

According to ComputerWorld, Oracle is poised to make a “game changing storage announcement” on January 31st. 

“We can’t tell you just how much this will improve your datacenter until the big event,” their website states, but customers will experience greatly reduced costs per terabyte as well as lower floor space.

I can’t wait to see what this vaporware turns out to be once it materializes.  I’m speculating that it has to do with replacing hard disks with NVRAM devices.  Warning, this speculation is 100% unfounded in fact.

Protecting Against Data Leaks

Wikileaks seems to have become a rather quiet issue.  Very little in the press lately, and not much discussion for such a high profile and potentially damaging experience.  In follow-up to “Could it Happen To You“, here are some thoughts on detecting data leakage, and protecting your sensitive data and intellectual property.

You will never completely eliminate the possibility that someone will leak documents to WikiLeaks or any other outside organization, and every organization, even those that operate legitimately and completely above board have SOMETHING to hide.  From the competition, from enemeies, everyyone has intellectual property and those special trade secrets.  The opportunities and methods for extricating information in its various forms are just too diverse.  In order for any organization to function, individuals need to be able to access, copy, manipulate and print information.  There will always be a chance that an individual will intentionally or accidentally make that information available to an unauthorized audience or individual.  It could be as easy as adding the wrong email address on a CC list.  Auto-complete is notorious for making this example more common.

Eliminate Common Means   In incident response, an attacker typically needs 4 things in order to launch a successful attack. 

  1. The opportunity to attack.  This is provided to insiders by having access to data, and poor internal controls.
  2. The ability to attack.  This is provided by the tools and knowledge available to anyone.
  3. The motive to attack.  This could be monetary, moralistic, vengeful, accidental, etc.
  4. The means to complete the attack.  This is the physical or logical device used to move the data.

Continue reading

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading