High Profile Data Theft - Yet Again

Another high profile breach has been reported - with over 225,000 personal records being stolen. The breach happened when an intern in the Ohio State Government was given the responsibility of storing back-up data - off-site, in her home. Unfortunately, it was stolen from her car before she even got it home.

This has happened many times over the past few years - yet I am not surprised to hear that these types of practices continue - seemingly unabated. Here is a tiny sampling:

• Feb. 25, 2005: Bank of America lost a backup tape with 1,200,000 records on it.
• March 11, 2005: Univ. of CA, Berkeley lost a laptop with 98,400 records on it.
• Jan, 12, 2006: The People's Bank lost backup tapes with 90,000 records on it
• Jan. 25, 2006: Providence Home Services had backup tapes stolen with 365,000 records on it
• Feb. 13, 2006: Ernst & Young employee had laptop stolen from car containing 38,000 records
• March 2, 2006: Hamilton County Clerk of Courts posted information improperly to their website leading to the exposure of 1.3 million records. Of note: An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000.
• Feb. 8th, 2007: St. Mary's Hospital lost a laptop containing 130,000 confidential records
  

This is just a very, very small fraction of the total number of incidents reported over the past two years. For a complete list, please refer here.

These types of security breaches point to the fact that information security is not all about technology. A comprehensive, "best practices" security program takes into consideration 4 key things: Policy, Process, People & Technology. Here's an example of how consideration of these 4 key areas could have prevented this breach from ever happening:

Policy: All back-up information is to be stored off-site in a secure facility and managed by authorized representatives only. (no interns, no storing in your house or car!)

Process: All back-up media are to be delivered to and from secure facilities via secure encrypted links or bonded, tier-1 couriers. Even this is not enough because couriers can be stolen from too. This is why we need to consider multiple layers of defense.

People: Only select people shall be responsible for back-up media safe keeping (managing the process). This person must be trained on what is the security protocol & risks are!

Technology: All back-up information shall be encrypted such that if it is stolen or lost, information will be rendered useless.

In a recent report, Forrester concluded that the cost of a data breach varies widely, from about US$90 to $305 per customer record, depending whether the breach is “low-profile” or “high-profile” and the company in a non-regulated or highly regulated area, such as banking. These costs are related to the money spent to cover legal fees, notification costs, increased call centre costs, marketing and public relations expenses.

Implementing mechanisms to prevent this type of data loss does not have to be expensive and certainly not cost prohibitive. Just implementing changes to policy, process and people significantly reduces the risk. Unfortunately, it is obvious that the reporting of hundreds of similar breaches is not enough for many organizations to act and reduce the risk. Our advice is to not wait till it happens to you - reducing the risk does not have to be expensive or complicated - just well thought out.