The UK's Information Commissioner's Office (ICO) has fined an insurance company, Royal & Sun Alliance (RSA), a total of £150,000 for the theft of an external storage device with information on nearly 60,000 clients (and credit card details for 20,000 people).
Unlike your run-of-the-mill hard drive theft cases, there are a number of wrinkles to RSA's data breach. To begin with, the external storage device in this case is a NAS (a network attached storage device).
NASes are like external hard drives but also so much more. One of their key differentiators to the lay person is their size: despite the modern device's emphasis on miniaturization, the modern NAS is still pretty big, considering. It's not unlikely for them to be about as big as a Nintendo Cube (or bigger). Due to its physical size, it's not possible to surreptitiously steal one of these babies; some thought and strategy, possibly pre-planning, is needed when stealing such a device.
The other wrinkle is that the NAS was stored in a data server room which can only be accessed with "an access card and key," leading to the belief that staff or visiting contractors stole the NAS.
In other words, it wouldn't have been easy to steal the device.
And yet, as subsequent events have shown, it would not have been impossible, either. While NASes can offer file encryption, the stolen machine's data was not encrypted – either because this particular NAS didn't offer it or because someone in IT did not deem it worthwhile; excusable, some may think, since it was under lock and key.
Well, it wasn't excusable. Far from it, as the six-figure fine shows. It's one thing for your average Joe to not encrypt his sizable storage device that he keeps locked up. A multinational insurance company, on the other hand, has responsibilities, and keeping the same data security practices as your average Joe is contemptible.
Especially when you consider that up to 40 people were allowed unsupervised access to the room storing the NAS, or that nobody realized that the device had gone missing for over two months.
This is exactly the type of situation where you want any sensitive data to be encrypted.
Only the ICO knows how the fine's final amount was calculated. However, they note under "mitigating features" that the "personal data held on the device was not easily accessible."
There must be some confusion here, since the lack encryption makes access to the data quite easy. It's true that you probably can't just access the information directly from a computer; however, a simple search in Google will provide more than helpful links for getting to the data, instructions that your average middle-schooler can follow while half-asleep.
Imagine what staff or contractors that were given access to a data server room, literally a room where techie types go into, could do with access to the internet and a few keystrokes.
Related Articles and Sites: