01:43 PM
Tom Smith
Tom Smith

Data Security: Out To Lunch, Er, Dinner

It was just last week that InformationWeek published the latest exhaustive analysis of what's emerging as the IT story of the first decade of this century: complete corporate and government ineptitude when it comes to managing sensitive personal data.

It was just last week that InformationWeek published the latest exhaustive analysis of what's emerging as the IT story of the first decade of this century: complete corporate and government ineptitude when it comes to managing sensitive personal data.It didn't take long for another company--Fidelity Investments--to get a black eye for mishandling a laptop containing personal information on 196,000 current and former employees of Hewlett-Packard. Lest you think some poor unsuspecting Fidelity employee was robbed of the laptop at gunpoint, or had their home forcibly broken into and the laptop stolen, think again.

The employee in question left the laptop in a rental car while having a three-hour dinner with colleagues, according to a story in the Wall Street Journal [subscription required] that included details from a police report. At some point in the evening, the vehicle's keys were given to a colleague to retrieve an item from the vehicle ("Here, take my keys, don't worry about the 200,000 customer names sitting unprotected in the car."). The colleague, it seems, left the vehicle unlocked, and the laptop went missing. It was just one of 65 laptops reported stolen from restaurant parking lots in Palo Alto, Calif., in the last 15 months.

A Fidelity spokesperson said the company takes information security "very seriously" (can't you tell?) and that company policy wasn't followed. Such mealy mouthed excuses grow increasingly tired with each of the 130-plus data breaches since early 2005. Because companies can't seem to institute policies or adequate technical safeguards, here's a few suggestions for ensuring your company doesn't let incompetent third parties or its own employees mishandle its data:

  • Oftentimes, it's an outside data handler that's the cause of the problem. In this case, the data handler forced HP to deal with any and all issues affecting the 196,000 current and former employees. One can only imagine the potential for lost productivity at HP as employees figure out if their identity has been stolen. That alone is enough to fire Fidelity, just as any company that's the victim in such a case should consider doing if a third party loses their data. While you're at it, fire knuckleheaded employees that traipse around with reams of data about their customers. If corporate policy doesn't explicitly forbid such behavior, fire the corporate policy department.

  • Companies should demand documented policies, procedures, and safeguards from any vendor handling sensitive data on their behalf. Ongoing audits should be used to verify compliance. Failure to maintain compliance should result in stiff financial penalties up to and including termination of a business relationship.

  • Do away, once and for all, with the practice of storing sensitive or private data on laptop computers, which by their very definition are intended to be transported and are therefore vulnerable to theft. There may be a completely valid reason that one person needs to have personal data on 196,000 customers on their laptop, but I doubt it.
HP was just one of three incidents last week (see the comprehensive list since 2005 here and more gory details here), and more may be in the offing.

Our friends in the federal government--not exactly a bastion of personal data protection--are at it again.

The Government Accountability Office says the IRS' IT security weaknesses "increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection." Oh boy.

I've shared my recommendations on what companies need to do, mostly by putting the screws to their vendors, to protect themselves and their employee and customer data. What do you think needs to happen next?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

Published: 2014-12-27
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.

Published: 2014-12-27
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.

Published: 2014-12-27
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format param...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.