A data breach affecting 1.8 million customers of two New York utilities companies has recently been made public by the  New York State Public Service Commission. The investigation into this data breach was initiated after an employee from a third party IT company contracted by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) was given unauthorized access to the company’s databases.

It is not clear if accessing the customer databases had any malicious intent, both affected companies claiming there was no proof of any data having been misused as a consequence of the breach. But, to stay on the safe side, they have decided to send out notifications regarding the data access, as it exposed Social Security Numbers, dates of birth and financial account information, as shown in the official press release sent out by the NY Commission.

“This investigation will seek a complete understanding of the root causes for this security breach, and the measures in place to protect against such a breach,” said the Commission’s Chairman Garry Brown.

NYSEG and RG&E have  also partnered with credit service group Experian to offer free credit card monitoring to the 1.8 million customers affected by the data breach. They also promised their full cooperation to forensics experts and law enforcement.

The US Department of Taxation (DOTAX) decided to take a closer look at how their systems work this year. The process of evaluation included a security audit which lead to discovering internal security breaches dating back to 2008. DOTAX celebrated the three years of undiscovered breaches by putting employees of the Hawaii DOTAX on administrative leave without pay and starting a comprehensive investigation.

The breaches affected the Department’s computer tax database but no one knows when they occurred, it is suspected they happened at least as far back as 2008.The discovered incidents were immediately turned over to the Department of the Attorney General for review and investigation.

“Protecting the integrity of tax records is a serious matter,” said Fred Pablo, the state tax director, in a written statement. “The possibility of wrongful actions are extremely disturbing, which is why these matters were immediately reported to the Attorney General.”

Other than announcing some of their staff were put on administrative leave, DOTAX did not release any other details on the investigation, stating they would only do so after it had been completed.  We look forward to that moment to know how many people have been affected and what kind of protection they will receive.

The ICO conducted an investigation on a case of hardware loss in May at the Rochdale Metropolitan Borough Council. The incident consisted in the loss of an unencrypted memory stick by a Council’s finance department employee, stick which contained names, addresses and payment details for 18.000 residents. The missing hardware was not found to the date.

The investigation concluded that the Rochdale Council has breached the Data Protection Act by not providing employees with encrypted memory sticks (although it was a known fact that these devices would be used to transfer private information) and by not training their employees to properly use portable devices for work purposes.

Sally Anne Poole, ICO’s head of enforcement qualifies this mishap as ‘unacceptable’ and says ‘This incident could have been easily avoided if adequate security measures had been in place.’ in a quote by eWeek.

The measures taken by the ICO in this case consist of signing an undertaking of actions to take to implement data protection policies by 31^st March 2012.

Let’s hope that more than one private data handling organization learns from this incident and encrypts their portable devices using proper solutions.

A whole lot was written on loss/theft of hardware (laptops, USB sticks, external hard drives, etc.) and we had thought that organizations would learn their lesson and encrypt sensitive data on such supports. Apparently, things aren’t quite like that and two recent incidents come to prove it.

A resident student at Vancouver Coastal Health lost a laptop and a USB stick (there is a high probability that the hardware was stolen) at the Toronto Airport. The information stored on the drives was password protected but it wasn’t encrypted.

A Vancouver Coastal Health official calls the incident ‘unfortunate’ and says that ‘This is the way physicians and other health care workers need to do their job. They need to use these devices.’ He admits that many professionals use laptops and that the agency has some issues handling mobile technologies.

Another mishap took place in the United Kingdom and the theft of a laptop that stored personal information of 100 young people who participated in inclusion programs. This laptop was in the house of a contractor of the Newcastle Youth Offending Team organization. The ICO (Information Commissioner’s Office) has established a fine for this organization for not encrypting the data. According to Sally-Anne Poole ‘Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure.’ She underlines the fact that organizations working with contractors must make sure that the latter ones align to their security policies.

It’s so simple and cheap to track the use of portable devices and encrypt sensitive data stored on them, that we really ask ourselves why don’t organizations do it?

Let’s hope that at least legal constraints will force private data handlers to implement solutions and politics to maintain their data safe and secure.

While data breaches are as common as any other daily occurrence in the business and individual worlds, the large security incidents don’t happen as often, especially if you think that one of the breaches in the top ten all time largest data exposures dates back to 1984. 2011 is not yet over and it already is the poster child of this top we all want to see unchanged.

2011 is the only year with three major data loss incidents in the top ten: Sony Corporation with 77 million records exposed, SK Communications, Nate, Cyworld with 35 million and again Sony Corporation through their Sony Online Entertainment division with close to 25 million records exposed. Luckily for us, although it featured large incidents, 2011 did not create as many victims as 2009 with its two incidents, Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank which share the number one position in the infamous top with 130 million records exposed and RockYou Inc. with another 32 million. 

Here’s the ultimate data breach top, the place where you never want to see your company’s name or that of any other company that has your data stored:

1. Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank – 130 million records (2009)
2. TJX Companies Inc. – 94 million records (2007)
3. TRW, Sears Roebuck – 90 million records (1984)
4. Sony Corporation – 77 million records (2011)
5. CardSystems, Visa, MasterCard, American Express – 40 million records (2005)
6. SK Communications, Nate, Cyworld – 35 million records (2011)
7. RockYou Inc. – 32 million records (2009)
8. U.S. Department of Veterans Affairs – 26,5 million (2006)
9. HM Revenue and Customs, TNT – 25 million records (2007)
10. Sony Online Entertainment, Sony Corporation – 24,6 million (2011)

Endpoint security developer CoSoSys has released a new version of their data loss prevention, device control and endpoint security solution for Windows and Mac OS, Endpoint Protector. Offering enhanced protection, increased effectiveness and the fastest implementation time in its segment, the out-of-the-box Hardware and Virtual Appliance is now available for small, medium and large companies and organizations.

Coming with a long list of new features targeting better security, reliability, ease of use and better adapting to company structures and organization charts, Endpoint Protector 4 is designed to protect networks ranging from 20 computers (endpoints) to more than 5.000 endpoints.

Some of the top benefits of this latest Endpoint Protector solution are:

• Seamless integration in business processes
• Saving time and money when the solution is installed
• Increased security through enhanced protection
• Reducing allotted resources of the security staff
• Optimum security through enhanced stability
• Enhanced protection through complex, adaptable end efficient security
• Reliable security through enhanced monitoring and policy control

Here’s a good piece of news for companies around the world: when it comes to access to your important and confidential data, you don’t need to treat all employees as equals. In fact, it is highly recommended to make sure not anyone can access all your files, and if they can see them, you should prevent everyone from copying or transferring the information you need to keep private.

Ongoing projects, customer data bases, inventions, strategies, private records of employees, credit card and bank account information, all these must remain confidential. So if you store them, how can you make sure an employee that is unaware of the harm they are doing or who knowingly wants to harm you, fails at their attempt to expose the files in question?

The feature that enables you to take control of who does what with your data is called File Whitelisting. Backed by file tracing, not only do you see who transfers what and to where, you also prevent anyone from copying or transferring documents classified as restricted to being viewed only. It keeps you safe and it also lets you know who tried to stick their nose where they were not supposed to. An effective endpoint security, device control and data loss prevention solution will certainly offer your company these seemingly simple, but very powerful features.

What’s the alternative? You might end up in the same situation as Chocolate Emporium who had their entire customer database being transferred by an employee via Dropbox. Yes, large files no longer discourage anyone. A simple flash drive or smartphone is enough to store all the information you value the most, in a matter of minutes. In the case of Chocolate Emporium, the employee knew what he was doing and took all the information on buyers he could find. But in some cases, there is no malicious intent. An eager employee that’s not educated in the ways of security my copy a similar database on his portable hard drive to work from home, to only find himself the victim of a theft. With the hardware also goes the information, which in most cases is unencrypted.

So keep your company safe instead of making up for the loss. It’s easy and effective. So why not try it?

The beginning of August has been extremely rich in data breaches caused by stolen or misplaced flash drives, hard drives and laptops, most of them unencrypted, as it almost always happens. Some of them are quite recent, in other cases it has taken over 5 months for those in question to let the affected parties know about the incidents.

The first breach in chronological order affected Lewisham Homes Limited and Wandle Housing Association Ltd and it involved a contractor’s flash drive that got lost in a pub. Apparently, mixing drinking and having fun with sensitive information does not lead to a tasty cocktail, it leads to details of over 26,000 tenants being lost. The silver lining of the incident is that only 800 people should worry about bank details. August 5 was by far the most prolific day for security breach reports with several such incidents being reported on that very day, two of which had to do with missing drives and computers. In the first case, two unencrypted laptops with patient information were stolen from the Harley Street Clinic. In the second case, a hard drive with medical information of over 600 patients was left in a cab by a doctor in a great hurry.

Another laptop was stolen from the Office of the Telecommunication Authority, which contained personal data of more than 500 people. It was closely followed by another flash drive, again unencrypted, belonging to a hospital that a doctor managed to lose. It contained 474 maternity patients’ names and medical details.

So, my advice to you: make sure everything is encrypted: your portable hard drives, your flash drives, your laptops and anything else you can think of. Better to prevent data loss than deal with it after the security breach has occurred. If you need help finding a device control and data loss prevention solution, we’re always here to help!

The weekend brings news of several security breaches, some showing a trend, others just containing very real warnings. As the week starts, here’s what you might have missed over the weekend, to keep you alert and informed. Today’s roundup brings you a few employees gone rogue on corporate data, sensitive information posted online, again the ever present stolen laptop and quite a few of these mishaps happening in institutions related to health care.

A security breach that happened back in April finally surfaced and it involves South Australian DNA testing company Medvet. The mishap led to customers’ names, work and home addresses, and types of DNA testing kit ordered being exposed online and dutifully indexed by Google. Australia’s Privacy Commissioner Tim Pilgrim has already launched an investigation.

The Meath County Council followed in the steps of the Australian security breach when planning applicants’ personal information, including birth certificates, bank account details and drivers’ licenses were posted online on their website. It took notifications from the general public for the information to be taken down.

UPromise Investments is one of the companies where employees thought to go against the employer in a security breach. The person in question accessed accessed 300 depositors’ names, social security numbers, birthdays and other contact information. This happened over 7 months while the suspected employee was on the job. What the job was? Withdrawals and deposits of course! The other such case happened at the Haartman Hospital, where an employee accessed 188 patients’ records without authorization.

The ever present stolen laptop this time belonged to the Kirklees Council and contained confidential files on 25 employees. What’s even more shocking is that this is one of several incidents in which private data was lost by the authority. If you were wondering, none of the information was encrypted and no one at the Council had to explain themselves for these breaches. Classic case of never learning from past mistakes!

Have a safe week everyone!

An employee of the California Department of Health thought it would be a great idea to access and copy to a portable drive personal information belonging to 9,000 former and current state employees.  The security breach discovered within the department involved names, dates of birth, and addresses stored in compensation records of the affected parties.

The California Department of Health is currently running an investigation on the scope and extent of the breach. In the mean time, the person responsible for the unauthorized removal of personal records from the institution is on administrative leave, answering all the questions needed to understand the incident. 

The data breach was discovered due to a state security detection system, which alerted officials of potentially suspicious activity back in April. The department stated they have upgraded their security to prevent future such security incidents.

Is there an easy way to prevent such breaches? An endpoint security and data loss prevention solution, if it’s a top line one, involves file tracing, telling IT departments who copied what and to which device. It also prevents the use of unauthorized portable drives and in the case of certain products it actually allows the creation of file lists, granting access to only those that are safe for use.