While it would appear we are losing the battle for the protection of our sensitive data stored by third parties, that isn't necessarily the case.
Many Naked Security readers are responsible for helping their organizations protect sensitive data belonging to their customers, partners and employees. Hopefully our readers are able to learn from the mistakes of others through the stories we share and prevent their organization from having to announce they have lost data that is sensitive.
There have been three different examples in the last few weeks and I think they show us three unique lessons we can learn about data security.
The first incident was when a Scottish newspaper broke a story on how they had discovered sensitive documents related to the appeals court at a local recycling facility.The Scottish Information Commissioner's Office investigated and found that the courts had released the documents to an editor for a reports series without inquiring about how the data would be protected.
The court's reaction was exactly the right remedy. Quoting from their press release:
Eleanor Emberson, Chief Executive of the Scottish Court Service, has signed a formal undertaking to ensure that all staff are aware of the court service’s policy for the storage, use and disclosure or sharing of personal data. All staff will be appropriately trained and all parties involved in the sharing of data must sign up to a Memorandum of Understanding with the service.
The second incident demonstrates why keeping sensitive records unencrypted is always a risk, even on systems that are not portable. Seacoast Radiology of New Hampshire disclosed that over 241,000 patient records were exposed to hackers due to an improperly secured server. Allegedly the hackers compromised the server to host Call of Duty: Black Ops games for multiplayer gaming. While it does not appear patient records were acquired during the incident, all parties involved could breathe a sigh of relief had the records been properly protected.
Lastly we witnessed a rather tasteless inside data breach at a hospital in Arizona. Three employees and a contract nurse at Tuscon's University Medical Center accessed the patient records of the victims from last week's shooting involving Congresswoman Gabrielle Giffords. The result is that these employees were terminated, but what was the cause? Trust. Most organizations provide unfettered access to sensitive data to all employees without barrier. Similar to the story earlier this month on abuse of Vodafone's account data people employed or affiliated with an organization often have access to any and all sensitive information.
While it can be difficult to segregate information to make sure it is only accessed on a "need to know" basis it is important, and similar to the first two stories encryption can help. Many encryption solutions offer integration with directory services like Microsoft's Active Directory which can provide a framework to ensure only authorized people can access data.
The reason we write about many of these incidents on Naked Security is to provide context and provoke our audience to think about their own environments. There are millions of ways to make mistakes and hopefully by sharing the stories of those who have made an error we can apply that lesson to our own data. Most of the advice I share with our customers and my colleagues in the security industry was learned through mistakes I have made, or observed others make. Take a moment to ensure your policies and procedures would prevent an incident like these from happening to you.
Download our Data Security Toolkit which is full of educational videos on how to protect yourself from ID theft, choose good passwords, and whitepapers on data security best practices. Aside from being free of charge you can brand much of the content with your own company logos and help your entire organization understand the risks and work together to protect your sensitive data.