Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Stop, Thief!

Major data breaches occur when storage media are physically stolen

When we use the phrase "data theft," we're usually talking about online criminals or insiders, not the guys with the heavy beards and the sacks slung over their backs. In the last week, however, old-school physical thieves have created nightmares for two large enterprises.

Last Thursday, Coastal Community Credit Union members reported a threat to the personal information of its 120,000 members when backup tapes were stolen from the courier company that transports them.

Garth Sheane, CCCU president and CEO, said the tapes were stolen while a courier truck was parked and locked in Nanaimo, B.C., on May 23. The tapes contain files with selected personal and financial information, such as name, address, date of birth, social insurance number, member number, ATM/debit card number, credit card number, and/or balances.

Sheane said the tapes don't contain PIN numbers, personal access codes for Internet or telephone banking, expiry dates or codes for credit cards, or security code words for in-branch access. But Sheane said fraudsters could still exploit the information, which is why the credit union has issued an advisory to each member.

"I think that's what would be in the top of the minds of most people -- identity theft," said Sheane. The tapes were encrypted and would require special commercial software to decrypt, he noted. "I don't believe anyone is going to have the ability to access the data on those tapes... We're concentrating our efforts on informing our members."

The very next day, the state of Ohio reported that a backup computer storage device with the names and Social Security numbers of every state worker -- some 64,467 people -- had been stolen out of a state intern's car.

The storage device -- described as the "second backup tape" -- is taken offsite each night by one member of a rotating staff of state network administrators. But the state intern who had it last Sunday night did not follow proper procedure and left it in his car, where it was stolen after a break-in, according to Gov. Ted Strickland.

Strickland said it would require a significant level of expertise and multiple computer programs to access the personal information.

"We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur," Strickland said at a press conference. The governor noted his personal information also was on the tape "and I slept very well last night."

While most enterprise security strategies revolve around logical security, it is often a physical loss that forces an organization to disclose a data breach. Last month, the Transportation Safety Administration suffered the theft of a removable hard drive containing the personal data of 100,000 of its employees, who later filed a lawsuit against the TSA. And the now-infamous data loss at the Department of Veterans Affairs was caused by the physical theft of a laptop at an employee's home. (See TSA Loses 100,000 Employee Records and VA Reports Massive Data Theft.)

And just yesterday, Texas A&M Corpus Christi reported that the personal information of some 8,000 students was recently lost in a foreign country. A professor vacationing off the coast of Africa took the data with him on a small flash drive, then lost it. The drive "may have contained files with personally identifiable student information, including Social Security numbers," the university said.

All of the organizations that suffered the thefts now say they are reviewing their policies and practices for handling portable storage devices. The governor of Ohio has issued an executive order revamping the state's procedures to ensure the privacy of employees' personal information.

Sheane said CCCU has outside parties reviewing the credit union's procedures for transporting backup information. "There are some changes we're contemplating."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...