Who Has My Data!?
In this day and age when people fear for their identity and personal information to a greater extent than ever before, you would think the encryption of such data would be a priority that is without parallel. Unfortunately this is not the case. It seems like every time I check my RSS feeds there is always a story about some corporation who posesses a fantastic ability to completely ignore the privacy of the people who keep them in business. Case in point:
Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.
I wish I had a more eloquent way to say this, but what the hell?
The first thing that came to my mind was whether or not the data was encrypted. Sure enough, “It contended that none of the unencrypted data has been accessed or used.” This brings me back to my first point of “what the hell?”
As it stands, computing power is greater than those in the past had previously envisioned and as a result, it has increased the speed and effeciency at which data can be encrypted. With this in mind, why are huge corporations still not protecting their data?
The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday. Source
But wait, there’s more!
An Internal Revenue Service employee lost an agency laptop early last month that contained sensitive personal information on 291 workers and job applicants, a spokesman said yesterday.
The IRS’s Terry L. Lemons said the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants, Lemons said. Source
I can accept and understand that laptops and hard drives get lost or stolen. While having lost them is more inexcusable than being stolen, let’s be honest, sometimes stuff just happens. However, losing an entire server, that is quite an achievement.
It worries me that those who we trust to protect our personal information and data can so easily lose it. Beyond simply losing it, the fact that it is unencrypted and thus unprotected makes matters exponentially worse. With the technology and resources we have, there is absolutely no reason these cryptographic safeguards are not put into place. If people cannot guarantee the physical safety of the data (and we all know in the business of infosec there are no guarantees) they need to take certain measures which so far, appear to be frighteningly far down on the list of priorities.
In this day of technology, your Identity consists of –
1) The physical you and 2) The database you.
All or some part of our Identity is stored in databases all around the world, and we do not have control on who can access it at every location.
The public needs to educate themselves about the growing issue of Identity Theft. Then practice good habits to protect themselves, and restore it back, if it has been compromised or stolen.
http://idtheftnews.wordpress.com/
I read about the first case you mentioned. And really, I laughed. First off, how could this box just be ‘lost’? I mean, come on.. These things currently don’t have legs to move about on.
Secondly, what about physical security. This box that was holding 4.5 Million people’s data was lost. If it was inside of a restricted area, then let’s narrow it down to who has rights to this restricted room.
And then third, of course, encryption. If this box would have been encrypted, it wouldn’t have been a big issue that it came up missing (although that in itself should sound an alarm…). The person who has this box would need to crack the box (mostly unlikely…) or obtain the key to unlock it.
If companies would take a higher responsibility of securing data both physically and datawise with encryption, we would have lot’s less to worry about.