Thumbnail Drive with Data of Job Seekers Lost
A company hired by the Nevada Department of Public Safety to do background checks for 109 job applicants managed to loose the private data of said job seekers. According to an article in Chron.com, their private records were stored on a thumbnail drive owned by one of the hired firm employees.
Following this incident, the Department of Public Safety has temporarily suspended the use of outside vendors for background checks while it is reviewing all its processes and procedure.
Government Agencies Fail at Protecting User Data
Two years ago, a major security breach was reported by the US Department of Veterans Affairs. At the time, a laptop containing private data on an extremely large number of veterans had been stolen. Following the incident, strict guidelines were established in order to protect personal information and prevent such thefts and exposures from happening.
According to the Register, two years was not enough time for government agencies to implement the guidelines and comply with their security requirements.
According to a report issued by the Government Accountability Office (GAO) today, a number of agencies fell short on recommendations for securing databases, remote access, and mobile devices. All of the agencies received a downgrade in their scores for e-government progress on the President’s Management Agenda Scorecard
Of the 24 major agencies audited in the report, only 11 had established policies for logging data extracted from agency databases and for erasing the data within 90 days of extraction. Only 15 agencies had established a “time out” function for remote and mobile devices that requires user re-authentication after 30 minutes of inactivity.
The same report has revealed that 25 other security breaches occurred in a three year interval - 2004-2007 - three of them exposing private records of more than 100,000 individuals. It also states these are only the breaches accounted for, but the actual number might be far greater.
Endpoint Protector 2008 Addresses Wireless USB Security Issues
Wireless USBs, besides bringing data transfers and portability to a new level and diminishing restrictions of the traditional USB protocol, also harbor specific threats. While transfers between these portable devices and computers comes with no impressive tricks, the data the store can be easily leaked to third party PCs or devices supporting wireless transfers.
The new Endpoint Protector 2008 developed by CoSoSys is the first endpoint security and DLP solution to address such threats specifically. More details on the new version from PR Inside:
The new Endpoint Protector 2008 efficiently protects PCs from data loss, data theft and other forms of data leakage. Endpoint Protector allows the controlled use of USB devices, external hard drives, FireWire devices, CD/DVD-Readers/Writers and many other potentially harmful devices, with the goal of stopping malware, viruses and other unwanted data intrusions.
Endpoint Protector 2008 also monitors and records all data transferred to and from portable storage devices. This new feature gives IT administrators the possibility to trace all data activity regarding removable storage and endpoint devices. This file tracing option allows the prevention of possible data breaches or of data being copied without authorization.
While the client product only runs on Windows operating systems, the Endpoint Protector Server 2008 is available for both Windows and Linux platforms, addressing a wider range of working scenarios.
Harsher Laws to Deal with Data Breaches
The state of California has recently passed a bill imposing strict measures to be taken by companies experiencing data breaches. The main purpose of the document is to make sure those affected by their private details being compromised are informed and fully aware of what’s at stake. InformationWeek provided more information on the bill:
California has already enacted a law that requires consumer notification when data breaches occur. The new bill requires companies, public agencies, and other organizations to provide toll-free numbers for credit reporting agencies so consumers can put holds on their cards, the name and contact information of the business affected, and what information may have been exposed or stolen. It also requires notices to explain when the breach occurred and the number of people affected by it.
It is only a matter of time until such measures are taken by other stated and other countries. Given the significant amounts of time and money invested in reacting to such information breaches, implementing a data leakage prevention solution seems a much wiser and cheaper way out.
USB with NATO Sensitive Data Found in Swedish Library
A USB stick containing classified NATO information was found in a library in Sweden. According to the Registrar, the stick contained sensitive details on NATO’s ISAF peace-keeping force in Afghanistan and an intelligence report on the attempted assassination targeting Lebanon’s defense minister and the murder of Sri Lanka’s foreign minister.
Given the reaction of Colonel Bengt Sandström of the Swedish Military Intelligence described by the Registrar, it is most likely that the USB stick in question was in no way encrypted or protected by any endpoint security solution.
This is not the first time such critical information is misplaced. The Dutch army, as shown in the same article, lost classified data in similar circumstances not once, but twice in the same year, 2006. Also, the US military lost several flash drives containing secret information. The devices were later discovered as they were being sold carelessly in an Afghani market.
I’d like to point out that precedents don’t seem to impose harsher measures when it comes to classified military data. After several such incidents having occured, one would expect army decision makers to upgrade their security policies and have the latest endpoint security software implemented.
