Another Security Breach
ByFrom InternetNews.com :
Hundreds of thousands of BlueCross customers are in for a scare. This week, the insurance company is sending out notifications to its customers fessing up to a significant data breach that saw a thief make off with 57 hard drives from a call center in Tennessee.
The hard drives contained encoded — but not encrypted – records of phone calls and video files containing sensitive patient information. eSecurity Planet has the details on the breach.
Personally Identifiable Information (PII) – it drives companies crazy. We need to obtain it to provide services, but if we mishandle it, we are in for big trouble. This latest case shows that security is an integrated problem. Often we concentrate on having strong passwords and software controls to limit access and guarantee that data only goes to the users who should have access. Yet we leave the front door open by not protecting physical access to servers and thereby the data that is on them. Think of the laptops that were misplaced a while ago. Had they been encrypted, the exposure would have been under control but the company’s reputation would still have been damaged. People don’t believe encrypted data is safe. If a thief can get the laptops or the drives in this case, the average person fears that the data is compromised.
In software and system design we need to pay attention to every aspect of loss prevention and that includes non-technical preventative security measures. I once had a client who spent a large sum of money on a hand reader for the data center main door, but left their database exposed to direct TCP access with the default system admin user name and password still set. Ouch. It is easy to get caught up finding technical solutions to problems like data security and forget to lock the front door at night. In this latest case encrypted drives would go a long way in preventing actual data loss, but once the data physically leaves the control of the company, the company cannot prove that the data was not compromised.
Lesson to be learned: Do not forget the real issues. Address the whole problem homogenously, taking all aspects into account.
Related posts:
