in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Drive Encryption: Missing Tape Affects UK Farmers Tied To RPA

If you're a farmer in the UK, and have ever taken a payment from the Rural Payments Agency (RPA), consider yourself a victim of a data breach.  The RPA has lost computer tapes with information on farmers who have ever received a EU subsidy payment.  The tapes were not protected with encryption, as required.

39 Backup Tapes Go Missing, RPA Was Keeping Mum

The story was brought forth by whistleblowers from within the RPA as well as a consultant that has been advising the agency.  They did this because the situation has been festering since September, when the breach was discovered, and believed that the RPA and DEFRA (Department of Environment Food and Rural Affairs) would keep silent on the issue unless their hand was forced, per computerweekly.com.

According to sources, 39 tapes and one CD went missing (37 of the tapes were recovered) some time in May.  Currently two tapes are still missing.  The tapes included information on farmers' "bank details, addresses, passwords, and security questions."

IBM Blamed

The tapes were not lost while being transported, but misplaced at a data center run by IBM.  Supposedly, Accenture--an IT consultant--worked with the tapes and these were filed in the wrong section when IBM got them back.  A DEFRA spokesperson labeled it as "bad book-keeping" on IBM's part.

Of course, that doesn't explain what happened to the missing two tapes (nor does it make the situation excusable).  It is currently assumed that they were destroyed, but, let's face it: the possibility of these tapes having been stolen is as valid as assuming they were tossed.

Not Making The Breach Public Was DEFRA's Fault

From the story at computerweekly.com, it's quite clear that DEFRA ought to be blamed, too.  After all, the scandal doesn't only lie with the loss of the tapes, which by all accounts should be attributed to IBM.  What's scandalous is the fact that a government agency:

  • Did not use encryption software to protect the information, when it was required to.

  • Covered up a data breach.  As far as I know, there aren't any data breach notification laws in the UK.  However, it is mandatory for government agencies to share the loss of personal information with the Information Commissioner's Office.  The fact that this is coming as news across the UK's political echelons indicates it wasn't.

DEFRA Insists That Risk To Farmers Is Low

Because the information on the tapes cannot "be accessed without specialized technical equipment and knowledge," DEFRA insists that the risk of accessing the information is low.

Such an argument is not untrue.  After all, most people do not have access to a tape drive.  Assuming that the two missing tapes were stolen, the thieves won't be able to access the information easily (unlike stolen CDs or USB sticks).

On the other hand, if someone steals data tapes, it's generally because they have a method of extracting the data.  Otherwise, why steal them in the first place?

Instead of relying a passive form of security (hoping that the thieves won't be able to access the data), DEFRA ought to have used file encryption and actively suppressed any potential attempts to access the data.


Related Articles and Sites:
http://www.computerweekly.com/Articles/2009/10/29/238341/farmers-bank-account-details-lost-by-rural-payments.htm
http://news.bbc.co.uk/2/hi/uk_news/8331759.stm
http://www.dailymail.co.uk/news/article-1223990/Personal-details-100-000-farmers-lost-Government-officials.html
http://www.telegraph.co.uk/earth/earthnews/6462293/Confidential-details-of-every-farmer-in-England-go-missing.html

 
<Previous Next>

Data Security Update: Lost CalOptima CDs Found

File Security: Junior Staffer Leaks US House Ethics Doc Via P2P

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.