A Rogues Gallery of Data Protection Miscreants

By Mary Jander and James Rogers, November 14, 2007, 4:05 PM

Protecting data has become a top priority for most IT personnel, including storage managers. And the job is overwhelming. From supporting laptop information to guarding archives to managing security keys, data protection is a multifaceted task with lots of moving parts.

So it's no surprise that things go wrong. Indeed, the essential challenge of data protection seems to lie in compensating for and reducing the potential impact of inevitable problems and slippages.

There's no lack of supplier help and advice. The market is teeming with vendors, consultants, integrators, and other solution providers. The bigger the organization, the more assistance is ready to hand.

So how come high-profile breaches keep happening?

That's what we're exploring in this article, which covers what we believe to be the major data protection disasters of recent memory. In the pages that follow, we profile what we think are the most egregious data handling mistakes to make headlines.

We're not out to place blame. But we're also not backing down from the position that some of these events should not have occurred. The data protection culprits we've profiled are all large, well funded organizations, and there can be little or no excuse for some of their breaches.

What's more, there's a lot to be learned from others' mistakes. While no one wants a data compromise or loss, the fact is that when one takes place, the lessons learned might actually help other organizations avoid similar mishaps.

So without further ado, we present our list of top data protection miscreants. Each comes with a brief explanation of the organization's most prominent disaster, with suggested lessons learned. We've also taken the liberty of ranking the list from least to most negligent, depending on our view of the circumstances -- not the results -- according to the following scale: 5 = Data Protection's Worst Enemy; 4 = Notable Rogue; 3 = Middling Miscreant; 2 = Petty Offender; 1 = Caught Once, Badly.

Any list like this is hardly comprehensive. Do you have a miscreant of note? Do you disagree with our ranking? As ever, feel free to hit the message board, write to us individually, or email us at [email protected].

The List:

Next Page: State of Ohio and Accenture

Background: Early in June 2007, a 22-year-old intern working for the state of Ohio was instructed to take home a computer tape containing data for an ongoing state project called the Ohio Administrative Knowledge System (OAKS). Apparently, common practice among staffers was to take tapes home for safekeeping, and on June 10, the assignment fell to an intern.

That evening, according to the Ohio Office of Inspector General's Report, the tape was stolen from the intern's car.

The plot thickened when it was learned that a consultant on the OAKS project, an employee of Accenture, had apparently copied sensitive data from a similar Connecticut project onto the Ohio system.

Here's what the inspector general, Thomas P. Charles wrote of the breach, in part:

Breach Description: The OAKS stolen tape contained bank account numbers and other financial information for nearly all of Connecticut's state agencies. According to the Ohio inspector general, it contained Social Security numbers and medical, payroll, and other data affecting 1,194,732 people, dependents, employees, and businesses in Ohio.

Follow-up: The Ohio inspector general had multiple suggestions for the OAKS team, including a thorough investigation of management policies, IT policies, contractor security, and emergency notification practices.

Commentary: This was a bad breach, indicating a number of problems. That said, the OAKS breach is typical of other large, ungainly government undertakings and indicates problems not related to IT. The action of the Accenture contractor was unfortunate and ill-advised, but it seemed to be thoroughly typical of common IT accidents. Our rating: 3.

Next Page: Deloitte & Touche and McAfee

Background: In late February 2006, newspapers began reporting that security software vendor McAfee had lost personal data on thousands of its current and former employees. Included was Social Security and payroll data as well as stock option details.

Apparently, months earlier, an employee of Deloitte & Touche, which was auditing McAfee's books, left the CD in the pocket of an airplane seat, along with some audio CDs.

Breach Description: The unencrypted CD contained data on all U.S. and Canadian McAfee employees hired before April 2005. The total was approximately 9,290 employees in all.

Follow-up: The problems here are clear: The sensitive data was trusted to a contractor, who took it, unencrypted, off premises and handled it in a shockingly lax fashion.

Commentary: The irony here is that Deloitte & Touche and McAfee both earn a living from telling others how to handle sensitive data. While the incident apparently didn't result in any major woes, the slipup was a bad one and indicates that neither firm was practicing was it preached. Our rating: 4.

Next Page: TJX

Background: TJX, the parent company of TJ Maxx , Marshalls, and A.J. Wright stores, confirmed in January 2007 that its IT systems had been infiltrated in what has been described as the world's largest-ever hacker attack, affecting millions of people.

Estimates suggest that the overall cost of the breach could top the $1 billion mark, and the incident has sent shockwaves throughout the business and IT communities, forcing many firms to re-appraise their own security strategies.

When the intrusion was first detected in mid-December last year, TJX recruited General Dynamics and IBM to monitor and evaluate the breach, secure its systems, and implement security upgrades.

TJX is still dealing with the fallout from the incident, and recently proposed a $6.5 million settlement in response to a class action lawsuit brought by customers affected by the breach.

The retailer is also facing a number of suits from banks and financial institutions, which absorbed the majority of the costs associated with the breach.

One suit, filed last month, alleges that TJX was warned about its lack of compliance with credit card industry standards as far back as 2004, but failed to fix the problem, according to a recent news report.

Breach Description: Initially, it was thought that hackers had gained access to credit card information for some 45.7 million people, although this figure has subsequently ballooned to more than 94 million.

Follow-up: TJX did not respond to requests for comment from Byte and Switch, which means that the firm's security overhaul remains shrouded in mystery.

"I have been told that they have done a major re-evaluation of their wireless endpoints," says Adrian Lane, CTO of security consultancy IPLocks. "[But] we don't really hear much about what they are doing, because we believe that a couple of the Secret Service's cyber threat teams are still involved."

Although precise details of the hacking incident are yet to emerge, it has been suggested that hackers somehow had access to the decryption tool that TJX was using for its encryption software.

"It would not surprise me," says Lane. "It’s easier to get to the keys than attempting to attack some of the encryption algorithms that are out there."

Commentary: Perhaps history's largest data breach could have been averted had TJX taken action on compliance with security standards earlier on. Still, the fact is that the hack was a sophisticated one, and the bottom-line cause remains under investigation, temporarily suspending any final judgment about the company's level of responsibility and control. Our rating: 3.

Next Page: Los Alamos National Lab

Background: When it comes to security issues, Los Alamos National Laboratory can't seem to stay out of the headlines.

Three years ago, the New Mexico nuclear research facility found itself in the spotlight when officials were unable to locate disks containing top secret information.

In the subsequent media and political storm, Los Alamos was forced to overhaul its procedures and implement new storage systems.

Last year, a consortium led by the University of California and Bechtel took over the running of Los Alamos. Prior to that, the lab was the responsibility of the University alone, but the contract was re-bid in the wake of the high-profile storage snafus.

Despite the change in management, the lab's security is still coming under the spotlight. Earlier this year, for example, the Project on Government Oversight (POGO) launched a stinging assault on the lab, accusing officials of shirking their security responsibilities.

The government watchdog's attack on Los Alamos followed an incident last year when classified materials on memory sticks were confiscated during a drug raid on the home of a former lab contractor.

The University of California was subsequently slapped with a $3 million fine by the Department of Energy for last year's data breach, and lab officials have again moved to tighten security.

In July, for example, the lab set up a room described as a "super vault" for storing classified data, and officials claim to have significantly reduced their reliance on removable media.

Allegations that Los Alamos has failed to close its security loop nonetheless persist. POGO, for example, has alleged that a computer belonging to the contractor at the center of last year's breach may have been traded in exchange for drugs. This computer remains missing, according to the watchdog.

Breach Description: Since 2004, Los Alamos has been accused of compromising national security secrets related to weapons research and other classified information.

Follow-up: Despite public outcry, Los Alamos continues to surface in news reports. The problem isn't one of technology, since the lab has plenty of that available. Apparently, there is a deep-seated flaw in the way security policies are or are not carried out by lab personnel. Clearly, a major overhaul is required.

Commentary: When the first security breach shut down Los Alamos a few years back, it was time for soul searching. But more security breaches followed. Given that Los Alamos plays a role in national security, the lab's response to its security shortfalls is shocking and it may respond only to tougher government mandates. Our rating: 5.

Next Page: Department of Veterans' Affairs

Background: Another government organization that hit the headlines for all the wrong reasons, the Department of Veterans Affairs is also no stranger to embarrassing security gaffes. In May 2006, the Department confirmed that a laptop containing masses of sensitive information was stolen from the Maryland home of an employee, bringing into question the VA's entire data security strategy.

Like Los Alamos, the VA also found itself in the eye of a media and political storm. Although the laptop was recovered after about a month, and two teens were subsequently charged for the theft, the ramifications of a potentially devastating security breach were extensive.

Breach Description: Some 26.5 million veterans and family members were put at risk of identity theft and fraud.

Follow-up: When the breach occurred, James Nicholson, then the VA secretary, made a series of personnel changes in the Office of Policy and Planning, where the breach occurred. He also ordered a security review of the department's laptops and mobile devices.

The official also implemented cyber security awareness training for all VA employees, as well as setting up an inventory of all staff that need access to sensitive data.

Just over a year ago, the agency also set up a data security encryption program, awarding a $3.7 million contract to Syracuse, N.Y.-based systems integrator Systems Made Simple (SMS) to upgrade security on all its laptops and removable media.

SMS in turn teamed up with encryption software specialists GuardianEdge and TrustDigital to secure the devices.

In testimony before the House Veterans Affairs Committee two months ago, Robert Howard, the VA's secretary for IT, explained that the VA has encrypted around 18,000 laptops, and is also implementing procedures for encrypted portable devices. In addition, the department is also purchasing software "to address the encryption of data at-rest", according to Howard.

The official also explained that the VA has, for the first time, tested over 10,000 security controls on its 603 computer systems.

Despite these efforts, the VA has come under fire from the Government Accountability Office (GAO), which recently warned that the department could be at risk of another data breach.

Testifying before the U.S. Senate Committee on Veterans Affairs in September, Valerie Melvin, the GAO's director of human capital and management information issues, warned that there are still gaping holes in the VA's security strategy.

"Our assessment found that a weak overall control environment for IT equipment at the four locations we audited posed a significant vulnerability to the nation's veterans with regard to sensitive data maintained on this equipment," she said.

The official went on to describe how GAO auditors identified a total of 123 "missing IT equipment" items at the four locations, including 53 computers that could have stored sensitive information.

Commentary: Despite plenty of noise about data security at the VA since last year's laptop theft, this organization is clearly still a work in progress. Ongoing criticism shows that encryption alone won't solve a deeply entrenched problem. Our rating: 4.

Next Page: Iron Mountain

Background: Since 2005, Iron Mountain has been named in a series of data protection breaches, including lost tapes from Time Warner, fires at facilities in Canada and the U.K., allegations of misappropriated customer data, and most recently, the loss of data on hundreds of thousands of Louisiana college students.

Breach Description: In October 2007, "driver error" was blamed for the loss of backup tapes containing Social Security information on hundreds of thousands of Louisiana college students and their parents. In 2005, lost tapes resulted in compromised Social Security and other data for hundreds of thousands of Time Warner employees. Other tape-loss incidents have occurred in addition to these, at least four of which were big enough to require Iron Mountain to acknowledge them publicly in 2005. Data loss from fires in the U.K. and Canada in 2006 was apparently manageable, though a fire in London required about 100 firefighters to contain.

Follow-up: Iron Mountain has maintained the stance that its tape transport and physical data protection businesses are risky and that customers, not Iron Mountain, should bear the brunt of responsibility for ensuring data is protected, mostly through encryption. Lost tapes in Louisiana were blamed on a driver who was subsequently fired.

Commentary: Over 55 percent of more than 150 respondents to a recent Byte and Switch poll think Iron Mountain has never adequately explained data losses involving its services. But when asked about these results, a company spokeswoman offers an interview describing the work Iron Mountain is doing across its businesses.

Clearly, Iron Mountain isn't wasting time crying over spilt (or burned or stolen) data. The company's financials are solid. It continues to expand and acquire without looking back.

At least one analyst thinks this may be the only way to go. "Is Iron Mountain actually losing more tapes, or are fewer tapes actually being lost, but more tape loss being reported?" asks analyst Greg Schulz of the StorageIO Group. "Unless you eliminate removable media altogether, including tapes, optical, removable hard disk drives (RHDD), USB devices, PDAs, and laptops, the potential for loss will continue and is not unique to Iron Mountain... Until all data is secured both at rest and while in-flight, along with adequate digital rights and access mechanisms, and authorization and authentication are deployed more extensively, data loss will remain a threat."

It's a good argument, but we still think Iron Mountain has some work to do. Our rating: 4.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.