What can you learn from the deluge of data leakage news?

Filed Under: Data loss, Law & order, Privacy

Secured hard driveWhile it would appear we are losing the battle for the protection of our sensitive data stored by third parties, that isn't necessarily the case.

Many Naked Security readers are responsible for helping their organizations protect sensitive data belonging to their customers, partners and employees. Hopefully our readers are able to learn from the mistakes of others through the stories we share and prevent their organization from having to announce they have lost data that is sensitive.

There have been three different examples in the last few weeks and I think they show us three unique lessons we can learn about data security.

The first incident was when a Scottish newspaper broke a story on how they had discovered sensitive documents related to the appeals court at a local recycling facility.The Scottish Information Commissioner's Office investigated and found that the courts had released the documents to an editor for a reports series without inquiring about how the data would be protected.

The court's reaction was exactly the right remedy. Quoting from their press release:

Eleanor Emberson, Chief Executive of the Scottish Court Service, has signed a formal undertaking to ensure that all staff are aware of the court service’s policy for the storage, use and disclosure or sharing of personal data. All staff will be appropriately trained and all parties involved in the sharing of data must sign up to a Memorandum of Understanding with the service.

The second incident demonstrates why keeping sensitive records unencrypted is always a risk, even on systems that are not portable. Seacoast Radiology of New Hampshire disclosed that over 241,000 patient records were exposed to hackers due to an improperly secured server. Allegedly the hackers compromised the server to host Call of Duty: Black Ops games for multiplayer gaming. While it does not appear patient records were acquired during the incident, all parties involved could breathe a sigh of relief had the records been properly protected.
Seacoast Radiology logo

Lastly we witnessed a rather tasteless inside data breach at a hospital in Arizona. Three employees and a contract nurse at Tuscon's University Medical Center accessed the patient records of the victims from last week's shooting involving Congresswoman Gabrielle Giffords. The result is that these employees were terminated, but what was the cause? Trust. Most organizations provide unfettered access to sensitive data to all employees without barrier. Similar to the story earlier this month on abuse of Vodafone's account data people employed or affiliated with an organization often have access to any and all sensitive information.

While it can be difficult to segregate information to make sure it is only accessed on a "need to know" basis it is important, and similar to the first two stories encryption can help. Many encryption solutions offer integration with directory services like Microsoft's Active Directory which can provide a framework to ensure only authorized people can access data.

The reason we write about many of these incidents on Naked Security is to provide context and provoke our audience to think about their own environments. There are millions of ways to make mistakes and hopefully by sharing the stories of those who have made an error we can apply that lesson to our own data. Most of the advice I share with our customers and my colleagues in the security industry was learned through mistakes I have made, or observed others make. Take a moment to ensure your policies and procedures would prevent an incident like these from happening to you.

Download our Data Security Toolkit which is full of educational videos on how to protect yourself from ID theft, choose good passwords, and whitepapers on data security best practices. Aside from being free of charge you can brand much of the content with your own company logos and help your entire organization understand the risks and work together to protect your sensitive data.

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.