in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hard Drive Encryption: Stolen Laptop Did Not Use, 109000 Affected

NorthgateArinso, a software provider to The Pensions Trust, lost a laptop computer that contained the personal information for 109,000 people.  Laptop encryption software such as AlertBoot endpoint security systems was not used to secure the device, although password-protection was used.

Breached Data

The data breached in this latest set of UK-based data fiascos includes names, addresses, dates of birth, national insurance numbers, employer name, and salary details.  If currently receiving a pension, it also includes bank account details.

The laptop contained all this data because it was being used for development, training, and performance testing.

The Problem With Third Parties

The Pensions Trust cannot be blamed for this latest data breach.  While their data, they cannot monitor what a third party is doing with it all the time.  Sure, they can check up on things, but 24/7 monitoring?  Impossible.

No doubt there will be those asking why the data was not encrypted.  Newsflash: we don't know that.  It could very well be that the information was protected with the use of encryption software.  However, The Pensions Trust encrypting data and NorthgateArinso keeping it encrypted, once they receive that data, are two separate issues.  In other words, what we do know is that the contractor did not employ adequate data protection measures.

A Better Option Than Encryption?

On the other hand, I guess The Pensions Trust could have done something to control the possibility of a data breach taking place.

No, I don't mean having the third party sign a contract stating they'd use encryption and other data security processes--things are too easy to sign and then ignore.

Rather, The Pensions Trust could have sent NorthgateArinso modified data.  If the developer needed the data in order to customize software for the trust, then the actual information is not necessary.  For example, "real" data such as the following:

Name: John Smith
DOB: 05/05/2005
National Insurance Number: AB 12 32 45 C

Could be modified to:

Name: Xcms Smith
DOB: 12/31/02
National Insurance Number; BZ 32 12 43 D

After all, developers don't need the actual data; what they need is the format of the actual data.  Take for example the date of birth.

5/5/05
05/05/05
05/05/2005
05 May 2005

All the above are the same DOBs, but depending on how The Pensions Trust saves the information internally, software developers will need to customize their software accordingly.  It's the format that's important for these people.

So, had The Pensions Trust sent modified customer information to NorthgateArinso, there would be no data security breach under any circumstances--even if someone managed to steal a laptop computer--and the contractor would still be able to do its job.

However, this does not absolve NorthgateArinso from their failure to protect the data.  After all, if the ball's in your court, it's up to you to take action.


Related Articles and Sites:
http://news.bbc.co.uk/2/hi/business/8072524.stm
http://www.thisislocallondon.co.uk/news/4404416.Laptop_with_109_000_people_s_pension_details_stolen/

 
<Previous Next>

Mobile Security: RIM Protects Data Better Than Windows Mobile, iPhone

Data Encryption Software Not Used On Department Of The Interior Computers

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.