informa
News

Stop, Thief!

Major data breaches occur when storage media are physically stolen

When we use the phrase "data theft," we're usually talking about online criminals or insiders, not the guys with the heavy beards and the sacks slung over their backs. In the last week, however, old-school physical thieves have created nightmares for two large enterprises.

Last Thursday, Coastal Community Credit Union members reported a threat to the personal information of its 120,000 members when backup tapes were stolen from the courier company that transports them.

Garth Sheane, CCCU president and CEO, said the tapes were stolen while a courier truck was parked and locked in Nanaimo, B.C., on May 23. The tapes contain files with selected personal and financial information, such as name, address, date of birth, social insurance number, member number, ATM/debit card number, credit card number, and/or balances.

Sheane said the tapes don't contain PIN numbers, personal access codes for Internet or telephone banking, expiry dates or codes for credit cards, or security code words for in-branch access. But Sheane said fraudsters could still exploit the information, which is why the credit union has issued an advisory to each member.

"I think that's what would be in the top of the minds of most people -- identity theft," said Sheane. The tapes were encrypted and would require special commercial software to decrypt, he noted. "I don't believe anyone is going to have the ability to access the data on those tapes... We're concentrating our efforts on informing our members."

The very next day, the state of Ohio reported that a backup computer storage device with the names and Social Security numbers of every state worker -- some 64,467 people -- had been stolen out of a state intern's car.

The storage device -- described as the "second backup tape" -- is taken offsite each night by one member of a rotating staff of state network administrators. But the state intern who had it last Sunday night did not follow proper procedure and left it in his car, where it was stolen after a break-in, according to Gov. Ted Strickland.

Strickland said it would require a significant level of expertise and multiple computer programs to access the personal information.

"We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur," Strickland said at a press conference. The governor noted his personal information also was on the tape "and I slept very well last night."

While most enterprise security strategies revolve around logical security, it is often a physical loss that forces an organization to disclose a data breach. Last month, the Transportation Safety Administration suffered the theft of a removable hard drive containing the personal data of 100,000 of its employees, who later filed a lawsuit against the TSA. And the now-infamous data loss at the Department of Veterans Affairs was caused by the physical theft of a laptop at an employee's home. (See TSA Loses 100,000 Employee Records and VA Reports Massive Data Theft.)

And just yesterday, Texas A&M Corpus Christi reported that the personal information of some 8,000 students was recently lost in a foreign country. A professor vacationing off the coast of Africa took the data with him on a small flash drive, then lost it. The drive "may have contained files with personally identifiable student information, including Social Security numbers," the university said.

All of the organizations that suffered the thefts now say they are reviewing their policies and practices for handling portable storage devices. The governor of Ohio has issued an executive order revamping the state's procedures to ensure the privacy of employees' personal information.

Sheane said CCCU has outside parties reviewing the credit union's procedures for transporting backup information. "There are some changes we're contemplating."

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading: