in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Drive Encryption Software: Alaska Hit With 77,000 Worker Data Breach

Over 70,000 Alaskans have had their personal information "misplaced."  People who are affected are former and current state employees who participated in the PERS and TRS system--Alaska's retirement systems.  It wasn't revealed how the breach occurred, but I'm assuming it was digital, and that data encryption was not used.

PricewaterhouseCoopers Doesn't Know Where Information Is

The breach was discovered in early December by the auditing firm, but the state was not notified until last week, according to press releases.  Names, dates of birth, and Social Security numbers of employees that participated in the Public Employees Retirement System (PERS) and the Teachers Retirement System (TRS), between 2003 and 2004, were affected.  The breach does not affect anyone hired after these years.

PwC had the information as part of an on-going lawsuit in which it was representing the state.  In December, PwC found that the information could not be found.

PwC has settled with the state of Alaska, and is offering free credit monitoring and identity theft protection for all of those affected.  It will also be responsible in the event any funds are stolen from the 77,000 state employees.

It Must Be Digital

Why am I assuming it was digital information--data on computers, external hard drives, USB flash drives, and the like?  For the simple matter that if you were to print stuff out where there are 77 names on each page, it would be a 1,000-page document.  Those are kind of hard to miss and leave behind.

On the other hand, losing something like a USB memory disk with a spreadsheet of 77,000 names?  It's happened before.  Furthermore, if you read the security breach factsheet (link below), you'll notice that firewalls and encryption are specifically mentioned as measures the state of Alaska has implemented (in general, not as a response to this incident) to protect personal information.

Why mention it if this was not a digital data breach, as opposed to a paper data breach?  I guess it could be part of a boilerplate statement, and perhaps I'm reading too much into it.

And, my further assumption is that encryption software was not used if the breach did occur due to the loss of a USB disk or similar device.  Why?  Because of Alaska's Laws.

Alaska Has A Personal Data Breach Notification Law

Alaska's data breach notification law went into effect last year.  Among other things, violations of the law means a penalty of $500 per person not notified, with a $50,000 cap, and the possibility of further collections via lawsuits.

Furthermore, the law's definition of personal information includes first and last names, and their SSNs.  If such information is lost, then a data breach is considered to have taken place.

Unless the information is encrypted:

"personal information" means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and that consists of a combination of...[ Sec. 45.48.090 (7)]

If the information was encrypted, PwC wouldn't have been required to alert anyone, if I'm reading the above correctly.  And, even if I'm wrong about such a conclusion, I'm pretty sure PwC wouldn't be offering credit and identity theft protection (which I'm assuming must cost anywhere between $500,000 to $1.5 million) if they had used data encryption software to secure the information: the risks of a full blow breach are as minimal as they can get.

Heck, a guy would score a better chance of reconstructing shredded documents than hacking into encrypted data.


Related Articles and Sites:
http://www.legis.state.ak.us/PDF/25/Bills/HB0065Z.PDF
http://www.businessweek.com/ap/financialnews/D9DGVUE01.htm
http://www.alaskadispatch.com/images/media/files/news/politics/price-waterhouse-security-breach-factsheet.pdf
http://newsminer.com/pages/full_story/push?blog-entry-Security+breach+may+affect+77-000+Alaskans%20&id=5689968&instance=blogs_editors_desk
http://www.ktuu.com/Global/story.asp?S=11896773

 
<Previous Next>

Disk Encryption Software: Ontario Teachers Affected By Lost Laptop Computer

Laptop Encryption Software: Columbia U Laptop Stolen In Break-In

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.