Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Stop, Thief!

Major data breaches occur when storage media are physically stolen

When we use the phrase "data theft," we're usually talking about online criminals or insiders, not the guys with the heavy beards and the sacks slung over their backs. In the last week, however, old-school physical thieves have created nightmares for two large enterprises.

Last Thursday, Coastal Community Credit Union members reported a threat to the personal information of its 120,000 members when backup tapes were stolen from the courier company that transports them.

Garth Sheane, CCCU president and CEO, said the tapes were stolen while a courier truck was parked and locked in Nanaimo, B.C., on May 23. The tapes contain files with selected personal and financial information, such as name, address, date of birth, social insurance number, member number, ATM/debit card number, credit card number, and/or balances.

Sheane said the tapes don't contain PIN numbers, personal access codes for Internet or telephone banking, expiry dates or codes for credit cards, or security code words for in-branch access. But Sheane said fraudsters could still exploit the information, which is why the credit union has issued an advisory to each member.

"I think that's what would be in the top of the minds of most people -- identity theft," said Sheane. The tapes were encrypted and would require special commercial software to decrypt, he noted. "I don't believe anyone is going to have the ability to access the data on those tapes... We're concentrating our efforts on informing our members."

The very next day, the state of Ohio reported that a backup computer storage device with the names and Social Security numbers of every state worker -- some 64,467 people -- had been stolen out of a state intern's car.

The storage device -- described as the "second backup tape" -- is taken offsite each night by one member of a rotating staff of state network administrators. But the state intern who had it last Sunday night did not follow proper procedure and left it in his car, where it was stolen after a break-in, according to Gov. Ted Strickland.

Strickland said it would require a significant level of expertise and multiple computer programs to access the personal information.

"We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur," Strickland said at a press conference. The governor noted his personal information also was on the tape "and I slept very well last night."

While most enterprise security strategies revolve around logical security, it is often a physical loss that forces an organization to disclose a data breach. Last month, the Transportation Safety Administration suffered the theft of a removable hard drive containing the personal data of 100,000 of its employees, who later filed a lawsuit against the TSA. And the now-infamous data loss at the Department of Veterans Affairs was caused by the physical theft of a laptop at an employee's home. (See TSA Loses 100,000 Employee Records and VA Reports Massive Data Theft.)

And just yesterday, Texas A&M Corpus Christi reported that the personal information of some 8,000 students was recently lost in a foreign country. A professor vacationing off the coast of Africa took the data with him on a small flash drive, then lost it. The drive "may have contained files with personally identifiable student information, including Social Security numbers," the university said.

All of the organizations that suffered the thefts now say they are reviewing their policies and practices for handling portable storage devices. The governor of Ohio has issued an executive order revamping the state's procedures to ensure the privacy of employees' personal information.

Sheane said CCCU has outside parties reviewing the credit union's procedures for transporting backup information. "There are some changes we're contemplating."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.
CVE-2013-0342
PUBLISHED: 2019-12-09
The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.
CVE-2014-0242
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
CVE-2015-3424
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
CVE-2015-3425
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.