44% report they were able to prove the use of encryption Proving encryption was used is important: regulators Third parties for resolving conflict of interest Absolute Software and the Ponemon Institute have come out with a number of reports on the "human factor" when it comes to data security. It turns out that a huge factor when it comes to data security is people (just like Soylent Green); nothing surprising there. For example, business managers think that their laptop computer is secure once hard disk encryption is in place. IT managers, on the other, realize that they still need to employ other forms or security, such as using cable locks on their laptops. However, what really caught my eye is the following: Ninety-five percent of IT practitioners report that someone in their organization has had a laptop lost or stolen and 72 percent report that it resulted in a data breach. Only 44 percent report that the organization was able to prove the contents were encrypted. In other words, slightly more than half of those surveyed were unable to provide evidence that sensitive information was encrypted--even if they had it in place!
Absolute Software and the Ponemon Institute have come out with a number of reports on the "human factor" when it comes to data security. It turns out that a huge factor when it comes to data security is people (just like Soylent Green); nothing surprising there. For example, business managers think that their laptop computer is secure once hard disk encryption is in place.
IT managers, on the other, realize that they still need to employ other forms or security, such as using cable locks on their laptops. However, what really caught my eye is the following:
Ninety-five percent of IT practitioners report that someone in their organization has had a laptop lost or stolen and 72 percent report that it resulted in a data breach. Only 44 percent report that the organization was able to prove the contents were encrypted.
In other words, slightly more than half of those surveyed were unable to provide evidence that sensitive information was encrypted--even if they had it in place!
Not being able to provide positive proof of encryption is problematic for at least a couple of reasons. First, it makes one wonder how the IT department knows which machines were protected and which ones weren't. Sure, one could send a command for "all computers" to be protected over a network. However, the IT department still needs to follow up and ensure that those machines are indeed protected. I mean, what if the process failed, possibly because a number of machines were unpatched with the latest updates? There are so many things that could go wrong. Remember, the point is not to go through motions--pushing buttons on a software package--but to safeguard sensitive, confidential data. Second, how else are you going to convince regulators, state attorneys general, and the like that you did have adequate protection on a machine? You need some kind of proof other than, "Bob from the IT department KNOWS that machine was encrypted." You have to be able to put forward something other than a guy's word.
Not being able to provide positive proof of encryption is problematic for at least a couple of reasons.
First, it makes one wonder how the IT department knows which machines were protected and which ones weren't. Sure, one could send a command for "all computers" to be protected over a network. However, the IT department still needs to follow up and ensure that those machines are indeed protected. I mean, what if the process failed, possibly because a number of machines were unpatched with the latest updates? There are so many things that could go wrong.
Remember, the point is not to go through motions--pushing buttons on a software package--but to safeguard sensitive, confidential data.
Second, how else are you going to convince regulators, state attorneys general, and the like that you did have adequate protection on a machine? You need some kind of proof other than, "Bob from the IT department KNOWS that machine was encrypted." You have to be able to put forward something other than a guy's word.
Many companies opt for in-house deployment of encryption software (which I encourage, if that's what your company needs; and that's saying something, since what we at AlertBoot offer is a managed encryption service--disk security as a service, if you will) because of security concerns. I've found out that in significant instances, clients will opt for outsourced encryption like AlertBoot despite their misgivings. Initially, I figured it was due to the cost savings involved with managed encryption services: no need to invest in more hardware; no need to update and upgrade, both hardware and software; no need for ongoing maintenance; etc. Turns out that a chief consideration among these clients was the conflict of interest when it comes to proving that their machines are encrypted: When people are accused of lying and doctoring documents, how can a company prove--without a trace of doubt--that a computer is indeed protected? The answer: get an outside organization to take care of it. Essentially, the idea is that "Chinese Walls" don't work, and the guys in the IT department can feel as much pressure to do questionable things as, say, accountants. After all, they have the same boss. Of course, the clients wanted to make sure that the ability to audit the encryption status of their machines was accurate (one might say this borders on cynicism and paranoia, but I'd disagree: do you know how many reports I read where hard drives bought from on-line auction sites still contain confidential data, in certain cases confidential corporate data? In many such instances, outside contractors hired to pulverize a disk just sold it). The true cynic, naturally, would point out that third-parties are as likely to succumb to corporate pressure: Arthur Andersen's financial audit of Enron, for example, is now considered a classic case. However, remember that at the time there five large accounting firms (the so-called Big Five): the other four firms didn't succumb to the same pressure, which is the rule, not the exception.
Many companies opt for in-house deployment of encryption software (which I encourage, if that's what your company needs; and that's saying something, since what we at AlertBoot offer is a managed encryption service--disk security as a service, if you will) because of security concerns.
I've found out that in significant instances, clients will opt for outsourced encryption like AlertBoot despite their misgivings.
Initially, I figured it was due to the cost savings involved with managed encryption services: no need to invest in more hardware; no need to update and upgrade, both hardware and software; no need for ongoing maintenance; etc.
Turns out that a chief consideration among these clients was the conflict of interest when it comes to proving that their machines are encrypted: When people are accused of lying and doctoring documents, how can a company prove--without a trace of doubt--that a computer is indeed protected?
The answer: get an outside organization to take care of it. Essentially, the idea is that "Chinese Walls" don't work, and the guys in the IT department can feel as much pressure to do questionable things as, say, accountants. After all, they have the same boss.
Of course, the clients wanted to make sure that the ability to audit the encryption status of their machines was accurate (one might say this borders on cynicism and paranoia, but I'd disagree: do you know how many reports I read where hard drives bought from on-line auction sites still contain confidential data, in certain cases confidential corporate data? In many such instances, outside contractors hired to pulverize a disk just sold it).
The true cynic, naturally, would point out that third-parties are as likely to succumb to corporate pressure: Arthur Andersen's financial audit of Enron, for example, is now considered a classic case.
However, remember that at the time there five large accounting firms (the so-called Big Five): the other four firms didn't succumb to the same pressure, which is the rule, not the exception.
Related Articles and Sites:http://www.absolute.com/resource_center/whitepapers/ponemon-human-factor
McNair Eye Center on Industrial Park Road, Arkansas, has had a data breach that could affect 9,000 patients. A server, which I'll assume was not protected with data encryption software like AlertBoot, was stolen.
The server was stolen from McNair Eye Center (as opposed to a break-in at a data center). The burglars entered the building by pulling a window air conditioning unit. They also had the sense to turn security cameras towards walls. Me thinks that these people knew the lay of the land beforehand. Wouldn't be surprised if this was an inside job. According to the article by thesuntimes.com, only the server was taken, which was "very heavy." No details on the actual weight.
The server was stolen from McNair Eye Center (as opposed to a break-in at a data center). The burglars entered the building by pulling a window air conditioning unit. They also had the sense to turn security cameras towards walls. Me thinks that these people knew the lay of the land beforehand. Wouldn't be surprised if this was an inside job.
According to the article by thesuntimes.com, only the server was taken, which was "very heavy." No details on the actual weight.
I've often found that many people don't really think of encryption software as a necessary precaution for their servers, whereas they might ponder on it a bit if we were talking about laptops. Generally, there's two reasons for the lack of enthusiasm on encrypting servers. First reason: it slows down the server. This is true but must be put into context: most people won't really notice the difference. If you process as much data as Google, yes, you'll definitely feel the lag. But if you happen to be a smaller business, like our clinic above, chances are "slowing down the server" doesn't quite mean "slow performance," just like a car going down the highway at 120 mph is slower than one going at 150 mph but by no means slow. Second reason: servers are heavy. Yes, they are. They're heavy...er than a laptop, but not so heavy that a guy would have a problem stealing it. I mean, let's face it, a guy put the server there so chances are another guy can take it away. What kind of security is that? (Pointing out that there are other forms of security, such as locked doors and whatnot, do not count. The same security would be present if the server in question was a laptop. But, people would cry foul for not having the information encrypted if it actually was a laptop.) Besides, even if a server is super heavy (say, the size of a mainframe) so that it cannot be stolen, where is the guarantee that the data on that server cannot be stolen? A guy could connect an external disk and copy off data from that server with the instruction of a few commands.
I've often found that many people don't really think of encryption software as a necessary precaution for their servers, whereas they might ponder on it a bit if we were talking about laptops. Generally, there's two reasons for the lack of enthusiasm on encrypting servers.
First reason: it slows down the server. This is true but must be put into context: most people won't really notice the difference.
If you process as much data as Google, yes, you'll definitely feel the lag. But if you happen to be a smaller business, like our clinic above, chances are "slowing down the server" doesn't quite mean "slow performance," just like a car going down the highway at 120 mph is slower than one going at 150 mph but by no means slow.
Second reason: servers are heavy. Yes, they are. They're heavy...er than a laptop, but not so heavy that a guy would have a problem stealing it. I mean, let's face it, a guy put the server there so chances are another guy can take it away. What kind of security is that?
(Pointing out that there are other forms of security, such as locked doors and whatnot, do not count. The same security would be present if the server in question was a laptop. But, people would cry foul for not having the information encrypted if it actually was a laptop.)
Besides, even if a server is super heavy (say, the size of a mainframe) so that it cannot be stolen, where is the guarantee that the data on that server cannot be stolen? A guy could connect an external disk and copy off data from that server with the instruction of a few commands.
Related Articles and Sites:http://www.thesuntimes.com/news/x324651657/Server-theft-could-affect-9-000-people
I found an interesting article over at meeb.com, lawyers that seem to specialize in real estate and properties. I was looking up 201 CMR 17.00 compliance information--the compliance date was March 1, 2010--and happened upon how condominium managers are affected by Massachusetts's data breach notification and encryption laws.
As already discussed a couple of times previously, MA 201 CMR 17 penalties have some teeth to them (maximum of $5,000 per violation, although it's not quite yet known what "violation" means exactly: per file? Per name of resident affected? Per computer lost?) Obviously, many businesses are affected by this law. However, I kind of forgot that it's a data protection law, not a "consumer" data protection law. Which is why the fact that condo managers need to follow this law came as something of a surprise, although it shouldn't have.
As already discussed a couple of times previously, MA 201 CMR 17 penalties have some teeth to them (maximum of $5,000 per violation, although it's not quite yet known what "violation" means exactly: per file? Per name of resident affected? Per computer lost?)
Obviously, many businesses are affected by this law. However, I kind of forgot that it's a data protection law, not a "consumer" data protection law. Which is why the fact that condo managers need to follow this law came as something of a surprise, although it shouldn't have.
Why do condo managers need to see if they're in compliance with 201 CMR 17? For two reasons, at least: They have employees. If a company has any employees--even just one--it is required to keep W-4 and I-9 forms (for tax withholding and employment eligibility verification). These forms require first and last names; SSNs and/or other forms of identifying information; and are to be retained by a company for at least three years. Obviously, this data has to be protected per 201 CMR 17. Direct payment / Automatic withdrawal. As noted in the article, many property management companies make available a direct payment program, where a biller automatically withdraws money from a person's bank account. Financial information--such as bank account numbers--is also required to be protected from breaches if they happen to be combined with first and last names. Guess who's making a trip down to the lobby, where the management office is, to see if his information is protected?
Why do condo managers need to see if they're in compliance with 201 CMR 17? For two reasons, at least:
Guess who's making a trip down to the lobby, where the management office is, to see if his information is protected?
One thing to constantly keep in mind is that this is an information breach law. The fines and penalties apply even if a file full of paper documents are lost. For example, a folder full of direct payment authorization documents are lost? Chances are you'll be fined for that, assuming the folder was not secured in a locking file cabinet. What's important is not what form the information takes. Ensure that you're not just concentrating your efforts on laptop encryption like AlertBoot, internet firewalls, anti-virus software, and the like.
One thing to constantly keep in mind is that this is an information breach law. The fines and penalties apply even if a file full of paper documents are lost. For example, a folder full of direct payment authorization documents are lost? Chances are you'll be fined for that, assuming the folder was not secured in a locking file cabinet.
What's important is not what form the information takes. Ensure that you're not just concentrating your efforts on laptop encryption like AlertBoot, internet firewalls, anti-virus software, and the like.
Related Articles and Sites:http://www.meeb.com/articles/ID%20theft.pdf
Arrow Electronics has notified the New Hampshire Attorney General's office that they have recently experienced a data breach, and have sent out breach notification letters to all who are potentially affected. It looks like disk encryption and other security products and services, such as AlertBoot, were not used in this case.
The breach took place on February 18, when burglars broke into Arrow's New York office and stole a laptop computer. Via backups, it was determined that the stolen device contained the personal information for over 4,000 employees (current and former). The personal information included names, addresses, and telephone numbers. In some instances SSNs were included, as well as corporate and personal credit card numbers--including the security codes and expiration dates. Which is disturbing. Why would my employer need to know my personal credit card information? I'm sure there must be a logical explanation, but still seems unusual. It appears that the breach of credit card information is relegated to those who used company-issued BlackBerries, wireless AirCards, and calling card services. Arrow Electronics is offering the credit monitoring services.
The breach took place on February 18, when burglars broke into Arrow's New York office and stole a laptop computer. Via backups, it was determined that the stolen device contained the personal information for over 4,000 employees (current and former).
The personal information included names, addresses, and telephone numbers. In some instances SSNs were included, as well as corporate and personal credit card numbers--including the security codes and expiration dates.
Which is disturbing. Why would my employer need to know my personal credit card information? I'm sure there must be a logical explanation, but still seems unusual.
It appears that the breach of credit card information is relegated to those who used company-issued BlackBerries, wireless AirCards, and calling card services.
Arrow Electronics is offering the credit monitoring services.
And not just for obvious reasons. Obviously, computer data backups, whether it be just important files or the contents of an entire hard drive, are necessary because one never knows when an emergency or disaster is going to strike. I mean, that's why they're called emergencies, right? But, in this new world where computers are stolen, not because of their hardware value, but because of the data that's in them, only backups allow a company to determine the true extent of a data breach. One of the things you definitely do not want to do is rely upon people's memories to make that determination. Plenty of companies have done that initially--perhaps as a means of speeding up their notifications to various agencies--only to later find via their backups that even more people are involved, or that other, sensitive data was present in stolen machines. People's memories are fallible, and it seems to be even more true when dealing with emergencies. So, when drafting up your data security plans, definitely make sure encryption software for your computers is in place. But, also make sure you've got adequate backup plans as well, for the obvious reasons as well as the not-so-obvious ones, such as legal compliance and notifications. This is especially true if you operate in more than one state. Breach notification rules vary from state to state, and there are those that don't provide safe harbor due to the use of encryption as a means of data protection.
And not just for obvious reasons. Obviously, computer data backups, whether it be just important files or the contents of an entire hard drive, are necessary because one never knows when an emergency or disaster is going to strike. I mean, that's why they're called emergencies, right?
But, in this new world where computers are stolen, not because of their hardware value, but because of the data that's in them, only backups allow a company to determine the true extent of a data breach. One of the things you definitely do not want to do is rely upon people's memories to make that determination.
Plenty of companies have done that initially--perhaps as a means of speeding up their notifications to various agencies--only to later find via their backups that even more people are involved, or that other, sensitive data was present in stolen machines. People's memories are fallible, and it seems to be even more true when dealing with emergencies.
So, when drafting up your data security plans, definitely make sure encryption software for your computers is in place. But, also make sure you've got adequate backup plans as well, for the obvious reasons as well as the not-so-obvious ones, such as legal compliance and notifications.
This is especially true if you operate in more than one state. Breach notification rules vary from state to state, and there are those that don't provide safe harbor due to the use of encryption as a means of data protection.
Related Articles and Sites:http://www.databreaches.net/?p=10543http://doj.nh.gov/consumer/pdf/arrow_electronics.pdf
The landmark California regulation that was passed in 2002 requires companies to go public when they've experienced a data breach. Today, eight years later, most states have passed their own version of that seminal legislation, and even the federal government is debating whether to pass one. Other nations have passed similar laws as well. The legislation varies state by state: for example, many US states provide safe harbor from sending data breach notification letters to clients if the information was protected with encryption software like AlertBoot endpoint encryption; other states do not. Some states allow companies to determine whether a breach notification is necessary; other states do not. But there is one thing in common among all the states' laws: in no instance do the laws penalize a company for suffering a data breach, as far as I can tell. Instead penalties and fines are assessed for instances where a company does not report a data breach, assuming such legislation is in place. Technically, if a junior banker loses a laptop full of client account numbers and routing codes, because he decided to take said laptop on an all-night partying and drinking binge, well, the company's safe as long as they report the data breach. (And, again, in some states they're OK even if they don't report it.) Of course, the public relations fallout and any other regulators--from the banking associations, for example--might not be as forgiving about the breach. And the same goes for the bank in relation to the junior banker: he most probably will get fired. However, it still remains that the breach laws cannot penalize the company. Which is weird. Generally, the law tends to ensure penalties are assessed for things that are bad for society. And personal information data breaches are bad for society. So what's going on here?
The landmark California regulation that was passed in 2002 requires companies to go public when they've experienced a data breach. Today, eight years later, most states have passed their own version of that seminal legislation, and even the federal government is debating whether to pass one. Other nations have passed similar laws as well.
The legislation varies state by state: for example, many US states provide safe harbor from sending data breach notification letters to clients if the information was protected with encryption software like AlertBoot endpoint encryption; other states do not. Some states allow companies to determine whether a breach notification is necessary; other states do not.
But there is one thing in common among all the states' laws: in no instance do the laws penalize a company for suffering a data breach, as far as I can tell. Instead penalties and fines are assessed for instances where a company does not report a data breach, assuming such legislation is in place.
Technically, if a junior banker loses a laptop full of client account numbers and routing codes, because he decided to take said laptop on an all-night partying and drinking binge, well, the company's safe as long as they report the data breach. (And, again, in some states they're OK even if they don't report it.)
Of course, the public relations fallout and any other regulators--from the banking associations, for example--might not be as forgiving about the breach. And the same goes for the bank in relation to the junior banker: he most probably will get fired. However, it still remains that the breach laws cannot penalize the company.
Which is weird. Generally, the law tends to ensure penalties are assessed for things that are bad for society. And personal information data breaches are bad for society. So what's going on here?
Well, the problem lies in that no one wants to come forward regarding a data breach. Companies especially don't want to come forward if they're going to be penalized as a result. Sure, maybe a company has in its mission statement something about the "welfare of their clients" and whatnot, but consider the financial impact of a breach: Cost of notifying clients (the law usually requires first class mail) Cost of setting up toll-free numbers where clients can call for more information Cost of running security audits; patching and updating weaknesses; etc. Costs for defending against lawsuits due to the breach Cost in offering identity theft protection, credit protection, etc. Costs associated with lost productivity--someone's got to run and write the reports to show to auditors and others Potential costs of client turnover Tack on substantive fines on top of these and, of course, the hiring of lawyers to defend the company against levying such fines (companies have to pretty much defend themselves against everything; to do otherwise would mean the C-level guys are in breach of their fiduciary duties to shareholders), and you've got to imagine that some companies will not be as forthcoming. At the same time, one's got to admit that there's no way to prevent data breaches 100%--the flipside of that coin meaning that the chances of a breach are pretty much 100%. When you know that the chances of a breach equal certainty, well, does assigning penalties even make sense? Consider, too, the reason behind breach notifications: ultimately, it's the companies' clients--you know, people, average joes--that are disaffected. Hiding a data breach, or not reporting it as soon as possible, means that it's the clients that will suffer the most. It only makes sense that there wouldn't be any legislation gunning for companies that have a data breach: the idea is to encourage companies to do the right thing and come forward. Incidentally, that's the reason why companies are penalized for not reporting a data breach: another encouragement for doing the right thing. And, of course, the safe harbor provided by many states when employing encryption is basically to encourage companies to use this method of data protection.
Well, the problem lies in that no one wants to come forward regarding a data breach. Companies especially don't want to come forward if they're going to be penalized as a result. Sure, maybe a company has in its mission statement something about the "welfare of their clients" and whatnot, but consider the financial impact of a breach:
Tack on substantive fines on top of these and, of course, the hiring of lawyers to defend the company against levying such fines (companies have to pretty much defend themselves against everything; to do otherwise would mean the C-level guys are in breach of their fiduciary duties to shareholders), and you've got to imagine that some companies will not be as forthcoming.
At the same time, one's got to admit that there's no way to prevent data breaches 100%--the flipside of that coin meaning that the chances of a breach are pretty much 100%. When you know that the chances of a breach equal certainty, well, does assigning penalties even make sense?
Consider, too, the reason behind breach notifications: ultimately, it's the companies' clients--you know, people, average joes--that are disaffected. Hiding a data breach, or not reporting it as soon as possible, means that it's the clients that will suffer the most.
It only makes sense that there wouldn't be any legislation gunning for companies that have a data breach: the idea is to encourage companies to do the right thing and come forward.
Incidentally, that's the reason why companies are penalized for not reporting a data breach: another encouragement for doing the right thing. And, of course, the safe harbor provided by many states when employing encryption is basically to encourage companies to use this method of data protection.
The problem with these breach notification laws is that they're a form of defense after the crime. An ounce of prevention is worth a pound of cure, right? So is there any way to be more proactive when it comes to data breaches? Well, it's debatable. Let's say the government passes a law requiring the use of disk encryption on any laptops that may contain sensitive information--not ifs and buts. Well, that's great and all, but what's important is not that the laws were passed; the point is whether people comply with those laws. Otherwise, we're still stuck in the same situation. How can we tell that companies are complying with such laws, assuming they are passed? The only way to know for sure is to inspect companies, by performing an audit. Just like the Health Department does when inspecting restaurants for health code violations. Obviously, the government can't audit all companies. And, auditing the top companies only--say, Fortune 1000--would not quite make a dent on the problem: Census stats show that firms with 500+ employees comprise less than 1% of all firms in the US, but breaches of massive amounts of data can come from pretty much anywhere. You can see where this is going: it's going to be pretty much impossible to ensure everyone's following a law designed for better data security and enforce it.
The problem with these breach notification laws is that they're a form of defense after the crime. An ounce of prevention is worth a pound of cure, right? So is there any way to be more proactive when it comes to data breaches?
Well, it's debatable. Let's say the government passes a law requiring the use of disk encryption on any laptops that may contain sensitive information--not ifs and buts. Well, that's great and all, but what's important is not that the laws were passed; the point is whether people comply with those laws. Otherwise, we're still stuck in the same situation.
How can we tell that companies are complying with such laws, assuming they are passed? The only way to know for sure is to inspect companies, by performing an audit. Just like the Health Department does when inspecting restaurants for health code violations.
Obviously, the government can't audit all companies. And, auditing the top companies only--say, Fortune 1000--would not quite make a dent on the problem: Census stats show that firms with 500+ employees comprise less than 1% of all firms in the US, but breaches of massive amounts of data can come from pretty much anywhere.
You can see where this is going: it's going to be pretty much impossible to ensure everyone's following a law designed for better data security and enforce it.
Personally, I don't think that auditing all companies would even work, even if it were possible. We must remember that it's generally people that are allowing breaches to occur: sure, hackers can gain access to sensitive information on databases due to patches not being applied correctly; because there are bugs in the code; etc. But, a good 33% of the data breaches in the US occur due to good, old theft: break-ins to cars and homes, loss and misplacement, surreptitious lifting while at the coffee shop, etc. Considering this, legislation that penalizes companies may not necessarily be the answer.
Personally, I don't think that auditing all companies would even work, even if it were possible. We must remember that it's generally people that are allowing breaches to occur: sure, hackers can gain access to sensitive information on databases due to patches not being applied correctly; because there are bugs in the code; etc.
But, a good 33% of the data breaches in the US occur due to good, old theft: break-ins to cars and homes, loss and misplacement, surreptitious lifting while at the coffee shop, etc.
Considering this, legislation that penalizes companies may not necessarily be the answer.
Related Sites and Articles:http://www.census.gov/epcd/www/smallbus.html
The Iowa Racing and Gaming Commission is offering people an unprecedented 7 years of fraud alerts on their credit reports. That's the result of a January data breach where 80,000 people's sensitive information was potentially compromised. (There's no way the utilization of encryption software like AlertBoot would have helped in this case, since the breach was a result of an unpatched firewall).
The state started notifying employees on January 26 that their information was breached. A third-party contractor had forgotten to patch a firewall, which allowed hackers--possibly from China--to gain access to the Iowa Communications Network. There appears to be a dispute whether having had all patches would have prevented the breach: "There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," said Robert Keller, chief technology officer, Ambient Consulting of Minneapolis.[SC Magazine] Huh? Maybe Keller was misquoted--that's one weird proclamation to make; "they still wouldn't have gotten in?" That makes it sound as if the hackers never made it into the network... Anyhow, hackers were able to gain access to the gaming commission's database, although it's hard to tell whether any information was downloaded. The attack compromised the information of employees, such as jockeys, trainers, card dealers, horse and greyhound owners (technically, not employees, I would imagine), etc.
The state started notifying employees on January 26 that their information was breached. A third-party contractor had forgotten to patch a firewall, which allowed hackers--possibly from China--to gain access to the Iowa Communications Network.
There appears to be a dispute whether having had all patches would have prevented the breach:
"There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," said Robert Keller, chief technology officer, Ambient Consulting of Minneapolis.[SC Magazine]
Huh? Maybe Keller was misquoted--that's one weird proclamation to make; "they still wouldn't have gotten in?" That makes it sound as if the hackers never made it into the network...
Anyhow, hackers were able to gain access to the gaming commission's database, although it's hard to tell whether any information was downloaded.
The attack compromised the information of employees, such as jockeys, trainers, card dealers, horse and greyhound owners (technically, not employees, I would imagine), etc.
I don't think I've ever seen more than 3 years offered for fraud alerts when similar information was breached. Seven years! Assuming that 100% of the people take up this offer, and assuming that the Iowa Racing and Gaming Commission was able to get a deal where the annual cost, over those seven years, is $5 on average...that would end up costing $2.8 million. Potentially three million bucks for an unpatched firewall. Of course, you could say that that's the gaming commission's own doing: they could have offered two years of fraud alerts, just like everyone else. On the other hand, if one's truly concerned about people and wants to help them, seven years' worth of protection is probably much more realistic. It's not unknown for criminals to steal data and then wait a couple of years to use it. Not because most companies offer two year's worth of credit protection, fraud alert, and other forms of minimizing identity theft. Rather, the waiting period pretty much hides the criminals' traces: once people find out they've become victims, they have no idea where their information could have possibly been breached from. At least, that was the case before states started passing laws regarding data breach notifications. However, criminals would probably not extend their waiting period to seven years. Can you imagine any organization waiting seven years for a payoff? Especially when there is so much fish in the sea?
I don't think I've ever seen more than 3 years offered for fraud alerts when similar information was breached. Seven years! Assuming that 100% of the people take up this offer, and assuming that the Iowa Racing and Gaming Commission was able to get a deal where the annual cost, over those seven years, is $5 on average...that would end up costing $2.8 million.
Potentially three million bucks for an unpatched firewall. Of course, you could say that that's the gaming commission's own doing: they could have offered two years of fraud alerts, just like everyone else.
On the other hand, if one's truly concerned about people and wants to help them, seven years' worth of protection is probably much more realistic. It's not unknown for criminals to steal data and then wait a couple of years to use it. Not because most companies offer two year's worth of credit protection, fraud alert, and other forms of minimizing identity theft.
Rather, the waiting period pretty much hides the criminals' traces: once people find out they've become victims, they have no idea where their information could have possibly been breached from. At least, that was the case before states started passing laws regarding data breach notifications.
However, criminals would probably not extend their waiting period to seven years. Can you imagine any organization waiting seven years for a payoff? Especially when there is so much fish in the sea?
Related Articles and Sites:http://www.wcfcourier.com/news/local/govt-and-politics/article_8e795214-27c0-11df-b5d4-001cc4c03286.htmlhttp://www.iowa.gov/irgc/Breach.htmhttp://www.scmagazineus.com/hackers-accesses-iowa-racing-and-gaming-commission-database/article/163050/