Data breaches aren't just about website insecurity and internet hacking...

Filed Under: Data loss, Featured, Law & order, Privacy

The Belfast Health and Social Care Trust in Northern Ireland, UK, has been stung with a £225,000 ($350,000) fine for a data breach.

In this case, though, the break-in was physical and the stolen data existed in printed form, or on film, for example in the case of X-ray images.

Here's what happened.

Back in 2006, Belfast's cancer-treatment services moved from Belvoir Park Hospital to the Belfast City Hospital.

The old hospital was closed down, but patient records were not removed or destroyed. Instead, confidential information was left in the abandoned hospital, where thieves got their hands on it.

According to the BBC:

The thieves even posted some of the records on the internet, including X-rays and scans, in an attempt to sell the material.

With all the news surrounding internet-orchestrated intrusions (where the thief never actually puts his hands on the server, never gets into the server room, and probably never even enters the country where it is located), it may seem surprising to read a story which combines the words "data breach" and "X-ray film".

But in 2012, printouts and old-school physical images are just internet-ready digital documents waiting to happen.

Digital cameras - including those built into mobile phones, which hardly look out-of-place anywhere these days - make excellent, fast and unobtrusive portable document scanners.

And modern-day mobile phone cameras can just as easily scan "documents" that you encounter in passing, such as PostIt notes, screen contents, ID badges, access control devices, company noticeboards, security arrangements and whiteboard scribblings.

To get you thinking about the physical aspects of data security, why not watch the video below? It's quite long (nearly an hour), as it's a conference talk from 2007, but it's worth watching because it was given by popular hacker and owner-of-a-social-conscience Johnny Long, whom you've heard me talk warmly about before. He's an engaging and informative speaker.

The talk is from DEFCON 2007, and is all about what Johnny calls No-Tech Hacking. It shows just how much sensitive data about ourselves and our employers we leak in our everyday lives:

You might also want to take a look at Sophos's free IT Security DOs and DON'Ts resource - a downloadable toolkit which aims to help you keep your employees out of trouble.

Check out IT Security DOs and DON'Ts

From videos and an employee handbook to posters you can put up round the office (yes, we use them at Sophos!), all the downloads are free, and no registration is required.


-

, , , , , , , , ,

You might like

One Response to Data breaches aren't just about website insecurity and internet hacking...

  1. Lasa Bailey · 799 days ago

    Trust the Irish to try to sell xrays

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog