The beginning of August has been extremely rich in data breaches caused by stolen or misplaced flash drives, hard drives and laptops, most of them unencrypted, as it almost always happens. Some of them are quite recent, in other cases it has taken over 5 months for those in question to let the affected parties know about the incidents.

The first breach in chronological order affected Lewisham Homes Limited and Wandle Housing Association Ltd and it involved a contractor’s flash drive that got lost in a pub. Apparently, mixing drinking and having fun with sensitive information does not lead to a tasty cocktail, it leads to details of over 26,000 tenants being lost. The silver lining of the incident is that only 800 people should worry about bank details. August 5 was by far the most prolific day for security breach reports with several such incidents being reported on that very day, two of which had to do with missing drives and computers. In the first case, two unencrypted laptops with patient information were stolen from the Harley Street Clinic. In the second case, a hard drive with medical information of over 600 patients was left in a cab by a doctor in a great hurry.

Another laptop was stolen from the Office of the Telecommunication Authority, which contained personal data of more than 500 people. It was closely followed by another flash drive, again unencrypted, belonging to a hospital that a doctor managed to lose. It contained 474 maternity patients’ names and medical details.

So, my advice to you: make sure everything is encrypted: your portable hard drives, your flash drives, your laptops and anything else you can think of. Better to prevent data loss than deal with it after the security breach has occurred. If you need help finding a device control and data loss prevention solution, we’re always here to help!

The Pentagon has finally confirmed a security breach that happened back in 2008 and which one of their top officials has described as “the most significant breach of U.S. military computers ever.” The breach was caused when a foreign intelligence agent used a flash drive to infect US military computers, including those used by the Central Command to oversee combat zones in Iraq and Afghanistan.

The device in question was a cigarette-lighter-sized flash drive which was plugged into an American military laptop from a base in the Middle East amounted to “a digital beachhead, from which data could be transferred to servers under foreign control,” according to William J. Lynn 3d, deputy secretary of defense, quoted by the New York Times

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Mr. Lynn wrote.

This serious security breach was first reported in November 2008 in Wired magazine’s Danger Room blog and according to The Los Angeles Times, the event was grave enough to have President George W. Bush briefed on it, also mentioning that Russian involvement was suspected.

Almost a year later, Mr. Lynn’s recent article was the first official confirmation of this breach which he called Operation Buckshot Yankee and said that the episode “marked a turning point in U.S. cyber-defense strategy.” One of the early countermeasures set in place was the fact that the Defense Department banned the use of portable flash drives in its computer network, yet the ban was later annuled.

“A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’s global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target,” he wrote.
Against the array of threats, Mr. Lynn said, the National Security Agency had pioneered systems — “part sensor, part sentry, part sharpshooter” — that are meant to automatically counter intrusions in real time.

The security breach case we’re about to talk about is both troubling and funny. Missing data found after a few days after the disclosure of the breach, or, in other words, playing hide and seek with personal records is what’s been happening at the Tennessee State University.

After spreading the news that a flash drive containing the financial information and Social Security numbers of more than 9,000 students, TSU thoroughly proceeded to notify their students of the security breach. They also backed their announcement with credit protection for those affected.

TSU has a policy about keeping Social Security numbers in protected files, yet the reality was that the missing flash drive wasn’t believed to be encrypted or password-protected. Pretty standard case up to now, as hardware is lost and leads to significant data loss, security policies are not complied with, etc.

But! Yes, there’s a “but”, a few days after the announcement, a student turned the flash drive in and TSU released the good news. No one really knows why the student had the drive or how he got it; let’s hope the internal audit will clear this mystery.

The fact that security policies are not really complied with no longer surprises any of us. But finding out that any student can get their hands on private records that easily is a bit troubling. And the position of TSU is a bit weird as well: ooouups, we’ve lost some pretty important data on our students! Oh, no, our bad, one of our students had it because we have protocol and policies just to show off!

Photo credit

A flash drive containing private information on 2,600 former Dayton-area Delphi workers has recently been stolen from an unattended laptop of a Job and Family Services department employee. The information stored on said drive included names, addresses, social security numbers and telephone numbers of the workers.

Helen Jones-Kelley, director of the Job and Family Services department, quoted by the Dayton Daily News, said leaving the laptop unattended during lunch hour was a violation of department policy and the responsible employee could be taken disciplinary actions against, including termination.

In what those affected are concerned, the same department representative said they have sent letters to all those involved.