Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Stop, Thief!

Major data breaches occur when storage media are physically stolen

When we use the phrase "data theft," we're usually talking about online criminals or insiders, not the guys with the heavy beards and the sacks slung over their backs. In the last week, however, old-school physical thieves have created nightmares for two large enterprises.

Last Thursday, Coastal Community Credit Union members reported a threat to the personal information of its 120,000 members when backup tapes were stolen from the courier company that transports them.

Garth Sheane, CCCU president and CEO, said the tapes were stolen while a courier truck was parked and locked in Nanaimo, B.C., on May 23. The tapes contain files with selected personal and financial information, such as name, address, date of birth, social insurance number, member number, ATM/debit card number, credit card number, and/or balances.

Sheane said the tapes don't contain PIN numbers, personal access codes for Internet or telephone banking, expiry dates or codes for credit cards, or security code words for in-branch access. But Sheane said fraudsters could still exploit the information, which is why the credit union has issued an advisory to each member.

"I think that's what would be in the top of the minds of most people -- identity theft," said Sheane. The tapes were encrypted and would require special commercial software to decrypt, he noted. "I don't believe anyone is going to have the ability to access the data on those tapes... We're concentrating our efforts on informing our members."

The very next day, the state of Ohio reported that a backup computer storage device with the names and Social Security numbers of every state worker -- some 64,467 people -- had been stolen out of a state intern's car.

The storage device -- described as the "second backup tape" -- is taken offsite each night by one member of a rotating staff of state network administrators. But the state intern who had it last Sunday night did not follow proper procedure and left it in his car, where it was stolen after a break-in, according to Gov. Ted Strickland.

Strickland said it would require a significant level of expertise and multiple computer programs to access the personal information.

"We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur," Strickland said at a press conference. The governor noted his personal information also was on the tape "and I slept very well last night."

While most enterprise security strategies revolve around logical security, it is often a physical loss that forces an organization to disclose a data breach. Last month, the Transportation Safety Administration suffered the theft of a removable hard drive containing the personal data of 100,000 of its employees, who later filed a lawsuit against the TSA. And the now-infamous data loss at the Department of Veterans Affairs was caused by the physical theft of a laptop at an employee's home. (See TSA Loses 100,000 Employee Records and VA Reports Massive Data Theft.)

And just yesterday, Texas A&M Corpus Christi reported that the personal information of some 8,000 students was recently lost in a foreign country. A professor vacationing off the coast of Africa took the data with him on a small flash drive, then lost it. The drive "may have contained files with personally identifiable student information, including Social Security numbers," the university said.

All of the organizations that suffered the thefts now say they are reviewing their policies and practices for handling portable storage devices. The governor of Ohio has issued an executive order revamping the state's procedures to ensure the privacy of employees' personal information.

Sheane said CCCU has outside parties reviewing the credit union's procedures for transporting backup information. "There are some changes we're contemplating."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...