Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Stop, Thief!

Major data breaches occur when storage media are physically stolen

When we use the phrase "data theft," we're usually talking about online criminals or insiders, not the guys with the heavy beards and the sacks slung over their backs. In the last week, however, old-school physical thieves have created nightmares for two large enterprises.

Last Thursday, Coastal Community Credit Union members reported a threat to the personal information of its 120,000 members when backup tapes were stolen from the courier company that transports them.

Garth Sheane, CCCU president and CEO, said the tapes were stolen while a courier truck was parked and locked in Nanaimo, B.C., on May 23. The tapes contain files with selected personal and financial information, such as name, address, date of birth, social insurance number, member number, ATM/debit card number, credit card number, and/or balances.

Sheane said the tapes don't contain PIN numbers, personal access codes for Internet or telephone banking, expiry dates or codes for credit cards, or security code words for in-branch access. But Sheane said fraudsters could still exploit the information, which is why the credit union has issued an advisory to each member.

"I think that's what would be in the top of the minds of most people -- identity theft," said Sheane. The tapes were encrypted and would require special commercial software to decrypt, he noted. "I don't believe anyone is going to have the ability to access the data on those tapes... We're concentrating our efforts on informing our members."

The very next day, the state of Ohio reported that a backup computer storage device with the names and Social Security numbers of every state worker -- some 64,467 people -- had been stolen out of a state intern's car.

The storage device -- described as the "second backup tape" -- is taken offsite each night by one member of a rotating staff of state network administrators. But the state intern who had it last Sunday night did not follow proper procedure and left it in his car, where it was stolen after a break-in, according to Gov. Ted Strickland.

Strickland said it would require a significant level of expertise and multiple computer programs to access the personal information.

"We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur," Strickland said at a press conference. The governor noted his personal information also was on the tape "and I slept very well last night."

While most enterprise security strategies revolve around logical security, it is often a physical loss that forces an organization to disclose a data breach. Last month, the Transportation Safety Administration suffered the theft of a removable hard drive containing the personal data of 100,000 of its employees, who later filed a lawsuit against the TSA. And the now-infamous data loss at the Department of Veterans Affairs was caused by the physical theft of a laptop at an employee's home. (See TSA Loses 100,000 Employee Records and VA Reports Massive Data Theft.)

And just yesterday, Texas A&M Corpus Christi reported that the personal information of some 8,000 students was recently lost in a foreign country. A professor vacationing off the coast of Africa took the data with him on a small flash drive, then lost it. The drive "may have contained files with personally identifiable student information, including Social Security numbers," the university said.

All of the organizations that suffered the thefts now say they are reviewing their policies and practices for handling portable storage devices. The governor of Ohio has issued an executive order revamping the state's procedures to ensure the privacy of employees' personal information.

Sheane said CCCU has outside parties reviewing the credit union's procedures for transporting backup information. "There are some changes we're contemplating."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.
PUBLISHED: 2021-05-12
Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.
PUBLISHED: 2021-05-12
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.