Earlier this week the Birmingham News reported on a data loss incident at financial services giant Regions Financial.
The incident occurred when an Ernst and Young employee needed to transfer personally identifiable information on Regions' 401K participants to another office during an audit.
Regions employs 27,000 people and the information lost included data on both current and former employees.
Following best practice the USB memory stick was encrypted. Yay! They used a strong key. Yay! They put the key and the USB memory stick in the same envelope and mailed them to the other office. What?
That's right kids... If you need to encrypt something and securely transmit it, don't include the keys with the encrypted file.
ATM card about to expire? Your bank likely mails you the PIN code separately from the card.
Want to send an encrypted email using SPX from your Sophos Email Appliance? Communicate the key out-of-band (telephone or other secure channel) or require the recipient to register on a web portal.
Fortunately Regions' employees are likely in the clear. The envelope arrived at the Ernst and Young offices without the USB memory stick, but the encryption key was safely inside the envelope.
I suppose it is good news that more companies are encrypting sensitive data, now they just need to apply some common sense to take the final step in data security.
Do you have sensitive information you store on USB or other removable devices? Try out Sophos Free Encryption (registration required) for an easy way to securely encrypt sensitive data.
Just be sure to keep your password safely stored away from the encrypted files.
Follow @chetwisniewski
USB stick with keys image courtesy of Shutterstock.
thats not a data loss. thats a data security breach.
I repeat, that is not a data loss, that is a lucky, narrowly avoided, data breach.
Not necessarily a narrow miss as I am on of the ones that's data was on that drive and was informed by Ernst and young that the flas drive was missing from the envelope upon delivery so it remains to be seen if a breech occurred!!
narrowly avoided data breach? remains to be seen if it was avoided. I was one of the ones notified that my data was included on the flash drive. I was told that the encryption key was in the envelope but NOT the drive when it was delivered to Ernst and Young in New York.
I'm hoping it is not breached because the encryption key was not taken. Someone just thought "oh boy! a free usb drive!". If they were knowledgable enough to realize what they really had, why would they leave the key and not take it too?
But I'm really just ragging on them calling it a data loss, rather then what it is. A data security breach.
As someone who's name, address, SSN# and birthday was on that flash drive. All the reassurances in the world will not prevent whomever has the drive from making my life a living hell at sometime in the future...... However finding them and letting me beat the Hell out of them would sure make me feel better.
I'd love to try your encryption tool, however, I find it quite annoying that you guys actually need my phone number.
You all make good points, but there is another (hopefully less likely) possibility, namely that the key was used and put back in the envelope. Just because it's there is not very good assurance that it is unused. Hope I didn't cause anybody too much heartburn, but better to know up front that there may have been a data loss in the end rather than find out after your personal data has been misused in any number of ways.
Sorry for asking a dumb question, but is "key" just another word for a long password? If so, was it written on a piece of paper or something?