Encrypted? Check. Strong passphrase? Check. Mailing them together? Oops.

Jailed terrorist gets 4 more months for refusing to hand over USB stick password

USB stick with keys courtesy of ShutterstockEarlier this week the Birmingham News reported on a data loss incident at financial services giant Regions Financial.

The incident occurred when an Ernst and Young employee needed to transfer personally identifiable information on Regions’ 401K participants to another office during an audit.

Regions employs 27,000 people and the information lost included data on both current and former employees.

Following best practice the USB memory stick was encrypted. Yay! They used a strong key. Yay! They put the key and the USB memory stick in the same envelope and mailed them to the other office. What?

That’s right kids… If you need to encrypt something and securely transmit it, don’t include the keys with the encrypted file.

ATM card about to expire? Your bank likely mails you the PIN code separately from the card.

Want to send an encrypted email using SPX from your Sophos Email Appliance? Communicate the key out-of-band (telephone or other secure channel) or require the recipient to register on a web portal.

Fortunately Regions’ employees are likely in the clear. The envelope arrived at the Ernst and Young offices without the USB memory stick, but the encryption key was safely inside the envelope.

I suppose it is good news that more companies are encrypting sensitive data, now they just need to apply some common sense to take the final step in data security.

Do you have sensitive information you store on USB or other removable devices? Try out Sophos Free Encryption (registration required) for an easy way to securely encrypt sensitive data.

Just be sure to keep your password safely stored away from the encrypted files.

USB stick with keys image courtesy of Shutterstock.