The Belfast Health and Social Care Trust in Northern Ireland, UK, has been stung with a £225,000 ($350,000) fine for a data breach.
In this case, though, the break-in was physical and the stolen data existed in printed form, or on film, for example in the case of X-ray images.
Here’s what happened.
Back in 2006, Belfast’s cancer-treatment services moved from Belvoir Park Hospital to the Belfast City Hospital.
The old hospital was closed down, but patient records were not removed or destroyed. Instead, confidential information was left in the abandoned hospital, where thieves got their hands on it.
According to the BBC:
The thieves even posted some of the records on the internet, including X-rays and scans, in an attempt to sell the material.
With all the news surrounding internet-orchestrated intrusions (where the thief never actually puts his hands on the server, never gets into the server room, and probably never even enters the country where it is located), it may seem surprising to read a story which combines the words “data breach” and “X-ray film”.
But in 2012, printouts and old-school physical images are just internet-ready digital documents waiting to happen.
Digital cameras – including those built into mobile phones, which hardly look out-of-place anywhere these days – make excellent, fast and unobtrusive portable document scanners.
And modern-day mobile phone cameras can just as easily scan “documents” that you encounter in passing, such as PostIt notes, screen contents, ID badges, access control devices, company noticeboards, security arrangements and whiteboard scribblings.
To get you thinking about the physical aspects of data security, why not watch the video below? It’s quite long (nearly an hour), as it’s a conference talk from 2007, but it’s worth watching because it was given by popular hacker and owner-of-a-social-conscience Johnny Long, whom you’ve heard me talk warmly about before. He’s an engaging and informative speaker.
The talk is from DEFCON 2007, and is all about what Johnny calls No-Tech Hacking. It shows just how much sensitive data about ourselves and our employers we leak in our everyday lives:
Check out IT Security DOs and DON’Ts
From videos and an employee handbook to posters you can put up round the office (yes, we use them at Sophos!), all the downloads are free, and no registration is required.