This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2014 - Posts

  • Human Resources Data Encryption: Godiva Chocolatier Has Data Breach

    It's not often that you can associate a chocolate merchant with the world of data breaches, but it's not impossible, either.  Especially if you make the mistake of not using something like AlertBoot's managed laptop disk encryption to secure the company's sensitive data.

    Godiva, the international maker of excellent chocolate, has experienced a data breach that will impact an undeclared number of employees.  The data breach involved a car, a laptop issued by the company, and an HR employee who was visiting retail locations.

    Same Old, Same Old

    The story of laptop computers being stolen from cars is an old one.  It doesn't matter if you store it in the passenger seat, beneath the seat, or in the trunk: you've got a "secret" place to store valuables in a vehicle, I've got a data breach story for it.

    In this particular case, I'm not quite sure where the laptop computer was stolen from, but I think it's probably the trunk:
    we learned that a suitcase was stolen from a rental car that a human resources employee was using to visit Godiva’s retail stores that day. The suitcase contained the employee’s personal items and the laptop provided to the employee by Godiva…A password is required to log-in to the laptop, but the hard drive was not encrypted. The nature of the employee information on the laptop may vary with regard to the Company’s different employees, but it may have contained your name, address, and Social Security number. To date, the laptop has not been returned or found. []
    The computer was provided to the employee by the company.  A password was in place…but encryption software was not installed?  On a computer that contains HR data?  That will be taken out of the office (and hence company security perimeters)? In 2014?

    I hope it was an oversight, but you really can't excuse such a thing in this day and age.  Especially for a company that brought in over $700 million in revenue in 2013.

    A Twist on the Same Old, Same Old

    This story is quite the hackneyed one.  However, there was an element to it that brought memories of an article I read as kid, and led me to wonder about the theft: what if the employee was targeted because he/she was an out-of-towner?

    While I'm hazy on the details of the article (it's been decades), this was how criminals were targeting tourists visiting Florida – by identifying the car they were riding.  Here's a digest from (my emphasis):
    Response after this eighth death [of a Miami tourist] in under a year was resounding. Headiness in the British tabloids read "Come to Sunny Florida and be Murdered for Absolutely Nothing," "Slaughter in the Sunshine" and "Plan Your Trip Like a Commando Raid." Governor Lawton Chiles issued an emergency executive order abandoning the Y-and-Z-beginning Florida tags for rentals and offering agencies a chance to trade them in for a vastly reduced fee. Sadly, fewer than 10% responded. Rental agencies were also instructed to remove all identifying marking from their rented vehicles so as not to tip off potential carjackers.
    I don't know how the rest of the country deals with rental cars, but I've found that tagging rental cars as rentals, via the license plate, is not an uncommon practice across the world.  If this was true for the Godiva employee's case, then he or she was running an increased risk of a car theft… and so an increased risk of a data breach.

    Which would make it a less hackneyed story but still egregious from a data security standpoint.  If you're carrying around human resources data, chances are that it's sensitive personal information.  There is no excuse for not having it protected.
    Related Articles and Sites:
  • Laptop Encryption: Beth Israel Deaconess To Pay $100K To Settle Breach Of Personal Laptop

    Beth Israel Deaconess Medical Center will settle with the Massachusetts Attorney General's Office to the tune of $100,000 for causing a data breach when a laptop computer was stolen from it campus.  This amount is on top of the $500,000 that the hospital paid to deal with the data breach itself (as of August 2014, according to  The use of disk encryption software goes a long way towards preventing such "fines" from being assessed, as many people know: there are legal safeguards as well as technical ones.

    However, the hospital couldn't take advantage of these for a very simple reason: the stolen laptop was the personal device belonging to a physician, and so the hospital had no direct control over its security… in theory.

    Does Not Mean "Ban Personal Devices"

    The data breach occurred in 2012 (that's right, two years ago) and affected nearly 4,000 people.  The laptop was a personal device.  Why is BIDMC being held responsible?

    According to the complaint against BIDMC [Beth Israel Deaconess Medical Center], in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.

    As the underlined portion shows, BIDMC cannot but be held accountable.  They knew of the laptop's presence and use.  The physician had obtained authorization.  The laptop was stolen from the hospital's premises.  I mean, except for the question of ownership, you may as well call it the hospital's machine for all intents and purposes as they relate to the data breach.

    It's About Securing Data

    It's hard to understand how BIDMC got it so wrong.  The need to use encryption solutions on sensitive data has been known by the medical community well before 2012.  It makes even less sense seeing how the medical center is located in Boston – meaning they have to deal with HIPAA/HITECH as well as the quite arduous Massachusetts data security laws.

    Indeed, certain organizations feel that the laws are so oppressive that they actually ban the use of personal devices at work.  It's an extreme attempt at controlling the risks of a data breach.  Why BIDMC decided to go the other way is a complete mystery to me.  Perhaps they made the mistake of believing it was a matter of securing hospital devices.  Because the physician's laptop was not hospital property, it's decided that there's no need to encrypt the device.

    The problem with this approach, among other things, is that laws and regulations clearly point out that it's the data that needs to be protected.

    Related Articles and Sites:
  • Data Encryption: Apartment Front Office Broken Into For Personal Info

    According to, the front office of a Houston apartment complex was broken into in August, resulting in the theft of personal information for hundreds of people.  What's new, right?  Well, it turns out the thieves got the information from a filing cabinet.  In other words, because a computer or other electronic media was not used, capitalizing on the power of managed data encryption software like AlertBoot was not possible.  And unlike other breach reports, this incident has turned at least one person into an ID fraud victim.

    SSNs Stolen, $2000 in Charges

    The August break-in resulted in the theft of "full names, Social Security numbers, address[es]…and bank routing numbers."  Plus, according to an interviewee, someone had opened up a credit card in his name and racked up $2,000 in a shopping spree.

    (Which, based on certain reports, could actually be valued at more than $2,000.  There is some kind of scam going on where shoppers are conning Walmart to match fake Amazon price listings, resulting in the sale of PlayStation 4 consoles at less than $100.  These gaming machines retail for $400.  Combine it with bogus credit cards, and a guy who timed it well could have $8000 worth of PS4 in his hands).

    One of the more frustrating things for the above person must be the fact that they "had the credit bureaus on alert within hours of" being notified about the breach but were still victimized.  It goes on to prove that, once you have a data breach, it's not easy to rectify or prevent things from happening.  In these cases, an ounce of prevention really is worth a pound of cure.

    Digital Data over Paper Data

    For all the hubbub that we see in the media over how easy it is to steal digital data, the truth is that traditional data can be (and is) just as easy to steal.  Even more important, and something that nobody really discusses, ever, is that it's harder to protect.  With data stored on a laptop, clicking a number of on-screen buttons that installs disk encryption is all it takes to counter the force of government departments authorized to hack into data.  A single attempt to break through could take millions of dollars.

    Doing the same for paper documents takes some downtime, a brick through a window, and a criminal mentality, depending on the location.  Any amateur can make a go for it.

    Related Articles and Sites:
  • Laptop Encryption: Thieves Stick Up Doc, Ask For Passwords To Encrypted Computer

    Brigham and Women's Hospital (BWH) has notified nearly 1,000 people that a computer that was protected with laptop encryption software has been stolen.  Normally, the use of encryption would provide safe harbor from sending such a notification letter, not only under HIPAA (the federal set of laws that govern medical organizations) but also under Massachusetts's data protection and notification laws, one of the most rigorous in the US.

    This, however, was not to be: the thieves who stole the laptop also forced the password from the doctor by placing him under duress.

    Tied to a Tree, Held at Gunpoint

    According to the breach notification letter, as well as coverage by, the hold up occurred back in September in Jamaica Pond (a Boston neighborhood that is not necessarily known for its safety).  Two assailants stole a doctor's cellphone and laptop:
    He was tied to a tree while one man held a gun and the other brandished a knife.

    Although both the laptop and cellphone were encrypted, they were stolen during an armed robbery on Sept. 24, and the hospital said the suspects forced the victim to give the pass codes during the robbery.
    It sounds like something that came out of a script for a B-film or something.  But then, they do say that art imitates life (and vice versa).  Anyhow, on to security issues.  This story reveals a number of things most people don't really think about when it comes to data security.

    First, there are caveats to HIPAA's data breach notification laws.  Many of our clients who call in looking for our managed laptop encryption services are under the impression that the use of encryption gives them complete safe harbor from the breach notification requirements.  This is not so and never has been.

    In order for safe harbor under the Breach Notification Rule to kick in, the following conditions also must be met: (1) the encryption used must be something that follows NIST guidelines.  This means strong encryption that is equivalent or stronger to AES-128, along with a number of other requirements.  (2) The HIPAA covered entity must be able to prove that the lost or stolen device was encrypted.  This means there must be some kind of report and paper trail.  (3) The password or encryption key must not be compromised.  If any of these conditions are not met, you won't be able to claim safe harbor.

    Second, we've heard from clients who're looking for "NSA-proof encryption".  We don't know what means, but we're pretty sure it doesn't really exist.  Also, why would the medical community be looking for something that's NSA-proof?  Not only does it sound a little overkill, but as the above story shows, two hoodlums can easily succeed where G-men behind a bunch of computer screens cannot (or maybe they can).

    Are Laptops Really Stolen for Their Hardware Value?

    Last but not least, the above story puts into question past stories where the breached entity proclaims that they "believe that a laptop was not stolen for the data."  Of course, from a very literal and technical standpoint, they're not wrong: the representatives of the breached entity can believe whatever they want; they can believe that the laptop will be used as a beer coaster, however unlikely it may be.

    The implication, on the other hand, is that data saved to an unencrypted laptop is probably safe.  The above puts the kibosh on such speculation: if thieves are now willing to tie up people and threaten the beejezus out of them in order to get into a stolen laptop, doesn't it make it more than possible that they've already been scraping for personal data on unencrypted laptops?

    It's beyond me how any self-respecting company that claims they've got the security of their clients' information at heart can even be writing such drivel.  Not BWH, though: they had encrypted their laptops.  What happened afterwards was literally out of their control.
    Related Articles and Sites:
  • Laptop Encryption: Don't Forget To Use Strong Passwords

    According to, one of the most sought-after (and currently incarcerated) hackers was identified and trapped because he used his pet's name as his password to his Mac disk encryption.  At least, he thinks that's how it happened.  He's probably right, seeing how it was "Chewy123".

    The Interview

    In an interview conducted with Jeremy Hammond, who was given a 10-year sentence for hacking into government websites and other cyber-hijinks, the incarcerated hacker reveals not only his motivations, political and otherwise, but what happened on the day the feds bust through his door.

    It almost sounds like he was expecting it:
    Hammond was smoking pot and chatting with friends in the kitchen of his Chicago home when the front door was kicked in. Someone threw a flash bang.

    "There were all these dudes with assault rifles," he said.

    Everyone else hit the floor, but Hammond dashed to his bedroom to slam shut his encrypted Mac laptop.
    The above, of course, means that Hammond closed the lid of the laptop.  By doing so, an encrypted Mac goes into its "protected state": when full disk encryption] is used, the encryption is "on" when the computer is off or when the password has to be entered.  Encryption is turned "off" when you're working on the computer.  By slamming shut his Mac, Hammond had ensured that his encryption kicked in, preventing third parties from browsing through and reading his computer's contents.

    Or at least, that was the idea.

    Weak Passwords

    Encryption works.  This has been proven time and time again.  Modern encryption, such as the AES encryption algorithm used in Macs are so powerful that cracking it by brute force would take decades, maybe even centuries.

    And because of that, anyone trying to break into an encrypted system tends to target the password, since these tend to be much shorter and less complex, and thus much easier to crack.  How much easier?  According to some recent research, you can expect any password to fall within a week if the password is less than 15 characters in length.  The current guidelines in certain circles call for a 22-character password if a password is going to be useful.

    Chewy123 is not such a password.  Furthermore, there are other problems to this particular password choice: 
    • Chewy is a dictionary word.  Running a list of words found in a dictionary through the password prompt (if you will) is pretty easy and standard when it comes to cracking passwords.
    • 123 is a very oft-used add-on to passwords when trying to create an alphanumeric password.
    • Chew is also Hammond's cat's name.  People looking to break passwords will use personal information like mother's maiden names, birthdates, old addresses, names of friends, and names of pets.

    What's the moral of the story?  I guess one is "don't use weak passwords."  And I guess another is " don't do stuff that will get you arrested."  But regardless of what it may be, I think we can conclude one thing for certain: nobody wants to be using long, complex, "un-memorizable" passwords, not even hackers.  But, that will cost you when you least expect it.

    Related Articles and Sites:
  • Laptop Disk Encryption: Coca-Cola Sued For January 2014 Laptop Theft (and Recovery)

    I learned via that Coca-Cola has been sued over a data breach that occurred earlier this year: laptop computers, that were not protected with disk encryption software like AlertBoot, were stolen by a (former) employee.  While certain details weren't as forthcoming at the time, it was obvious that the employee's misdeed was made easy by the fact that the computers were marked for disposal… and he was in charge of disposing of them.

    Why the Lawsuit?

    Perhaps the latest lawsuit is just more evidence that the US is an overly litigious country: all the computers that were stolen by the wayward employee were recovered, as I noted in a previous entry.  Indeed, these had been recovered by the time the breach notification letter had been sent to affected employees.

    On the other hand, the fact that they contained sensitive personal data and were easily accessible (remember, the laptops don't appear to have been protected with encryption software) does mean there is room for concern, however slight it may be.  What guarantees do affected employees have that their information was not stolen and sold prior to the laptops being recovered?

    Had encryption been in place – quite unlikely, as I explained in my previous entry on the Coca-Cola breach – the company would probably see the case thrown out of court.  Among other things, Georgia is one of the many states that provides safe harbor from data breaches if sensitive information is encrypted.  But, as the company admitted, the laptops were not encrypted, apparently due to an oversight.

    Something else that may have impacted the decision to go to court: 55 laptops were involved, according to the short blurb I can read at  Losing a couple of laptops is one thing; losing 55 is something else.  My initial surprise wore off pretty quickly, but I can see how an individual who was directly affected by the breach might still be seething.

    Related Articles and Sites:
More Posts Next page »