Encrypted? Check. Strong passphrase? Check. Mailing them together? Oops.

Filed Under: Data loss, Featured, Privacy

USB stick with keys courtesy of ShutterstockEarlier this week the Birmingham News reported on a data loss incident at financial services giant Regions Financial.

The incident occurred when an Ernst and Young employee needed to transfer personally identifiable information on Regions' 401K participants to another office during an audit.

Regions employs 27,000 people and the information lost included data on both current and former employees.

Following best practice the USB memory stick was encrypted. Yay! They used a strong key. Yay! They put the key and the USB memory stick in the same envelope and mailed them to the other office. What?

That's right kids... If you need to encrypt something and securely transmit it, don't include the keys with the encrypted file.

ATM card about to expire? Your bank likely mails you the PIN code separately from the card.

Want to send an encrypted email using SPX from your Sophos Email Appliance? Communicate the key out-of-band (telephone or other secure channel) or require the recipient to register on a web portal.

Fortunately Regions' employees are likely in the clear. The envelope arrived at the Ernst and Young offices without the USB memory stick, but the encryption key was safely inside the envelope.

I suppose it is good news that more companies are encrypting sensitive data, now they just need to apply some common sense to take the final step in data security.

Do you have sensitive information you store on USB or other removable devices? Try out Sophos Free Encryption (registration required) for an easy way to securely encrypt sensitive data.

Just be sure to keep your password safely stored away from the encrypted files.

USB stick with keys image courtesy of Shutterstock.

, , ,

You might like

9 Responses to Encrypted? Check. Strong passphrase? Check. Mailing them together? Oops.

  1. velo · 1335 days ago

    thats not a data loss. thats a data security breach.

  2. velo · 1335 days ago

    I repeat, that is not a data loss, that is a lucky, narrowly avoided, data breach.

    • Not necessarily a narrow miss as I am on of the ones that's data was on that drive and was informed by Ernst and young that the flas drive was missing from the envelope upon delivery so it remains to be seen if a breech occurred!!

    • Justme · 1335 days ago

      narrowly avoided data breach? remains to be seen if it was avoided. I was one of the ones notified that my data was included on the flash drive. I was told that the encryption key was in the envelope but NOT the drive when it was delivered to Ernst and Young in New York.

      • velo · 1335 days ago

        I'm hoping it is not breached because the encryption key was not taken. Someone just thought "oh boy! a free usb drive!". If they were knowledgable enough to realize what they really had, why would they leave the key and not take it too?

        But I'm really just ragging on them calling it a data loss, rather then what it is. A data security breach.

  3. Kevin Goff · 1335 days ago

    As someone who's name, address, SSN# and birthday was on that flash drive. All the reassurances in the world will not prevent whomever has the drive from making my life a living hell at sometime in the future...... However finding them and letting me beat the Hell out of them would sure make me feel better.

  4. Varttaanen · 1335 days ago

    I'd love to try your encryption tool, however, I find it quite annoying that you guys actually need my phone number.

  5. lovingthesixties · 1335 days ago

    You all make good points, but there is another (hopefully less likely) possibility, namely that the key was used and put back in the envelope. Just because it's there is not very good assurance that it is unused. Hope I didn't cause anybody too much heartburn, but better to know up front that there may have been a data loss in the end rather than find out after your personal data has been misused in any number of ways.

  6. Hmmm · 1334 days ago

    Sorry for asking a dumb question, but is "key" just another word for a long password? If so, was it written on a piece of paper or something?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.