in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Managed Encryption Service: E & Y Hostage To Used Computer Dealer

Well, I guess you can about monetize anything nowadays.  According to a story I first encountered at databreaches.net, a Canadian man who bought used servers has alerted Ernst & Young (and the Canadian Privacy Commissioner) that he's holding their data… and asking for compensation.  Only if the data had been protected with something like AlertBoot's managed encryption solution…

Legal Wrangle

The situation seems to go as far back 2006, when the used computer dealer, Mark Morris, bought a number of Dell servers from Synergy Partners.  This firm was acquired by E&Y in 2003.  Once Morris saw that the servers contained sensitive data he could access, he contacted E&Y.  He supposedly asked for $50,000 to begin deleting the data "from where he has stored it, though not on the primary server."

I have no idea what this means, but it almost sounds like Morris had made backup copies, and was offering to delete this for a cool $50K.  Bids were made for the information (again, supposedly) for $1.2 million.  When you consider that personal information, no matter how sensitive, goes for less than $500 – and often for $10 or less – at least 2,400 people's data appears to be on the server.

E&Y, for their part, note that they do the utmost to protect sensitive data.  They have questioned whether the so-called servers with data are under Morris's power.  Indeed, via a deal they've reached with Morris, E&Y will be paying the latter $1,500/day to start going through the data.  Not bad for an initial down payment of $300…and 8 years.

Oversight?

According to Morris, E&Y said that, "if the data exists on the server, then it was by mistake".  Well, of course it was.  What kind of company would go around doing it (or saying that they did it) on purpose?

The point is there are many ways that one can ensure such a mistake doesn't happen.  For example, any company the size of E&Y (and in a knowledge-based sector) has policies for disposing of electronic equipment that once held data.  Policies vary by company, but a common procedure is to take possession of the old equipment; delete the data in a secure manner; and then dispose of the equipment, which includes its physical destruction.

Backups to contingencies can be incorporated at every stage.  For example, (1) use encryption, (2) delete data, and (3) destroy the hard drives when retiring the equipment.  One of these will suppress a data breach if any two fail: assuming the encryption was not installed properly (which opens up a can of worms in its own right) and that the data deletion did not take place, the data destruction phase will take care of business, and so on and so forth.

Of course, this doesn't means that the risk of a data breach has been eliminated: in the world of risk, systematic risks will always remain.  However, these pertain to situations that are outside of one's control, such as someone pointing a gun to an employee and demanding his laptop computer, or finding out that your IT director has been stealing equipment.

For a server that was sold off, you just can't have a good excuse for a data breach.  Likewise for any old equipment that was sold off, including laptops, external hard drives, and soon enough, smartphones and tablet computers.

Related Articles and Sites:
http://www.databreaches.net/ernst-young-accused-by-canadian-of-massive-data-breach/
http://www.networkworld.com/article/2604411/security0/ernst-and-young-accused-by-canadian-used-computer-dealer-of-data-breach.html

 

 
<Previous Next>

Healthcare Encryption: Study Finds Only 59% Of HIPAA Entities Use It

HIPAA Disk Encryption: Covered Entities Not Immune from Data Breaches Stemming From "Acts of God"

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.