Browsing articles in "Data Breach"

Federal Department Bans Use of Portable Devices (YAFF)

Jan 22, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  4 Comments

portable hard drive

I thought I had blogged about this Canadian data breach, but I guess not.  All these data breaches are coming so fast it’s hard to keep up. In this report, we have another YAFF: a portable hard drive being used as a backup device.

It looks like Human Resources and Skills Development Canada (HRSDC) will be taking a three-pronged approach to protecting our data: first, a new policy banning portable storage devices; second, use of data loss protection technologies and third, establishing consequences for staff that cause a data breach.

OTTAWA — The federal department at the centre of a massive data breach says it is banning the use of portable data devices in its offices, using new technology to prevent information from being easily removed from the network and warning any staff that violation of the new rules could mean the loss of their job.

Human Resources and Skills Development Canada (HRSDC) said Monday that it will start using “data loss technology,” which would allow the department to restrict when, where and which staff can remove information from government systems. Reviews have already started to see what risks the use of secured, portable data devices, such as USB memory sticks, carry in the department’s work and whether there are enough safeguards to prevent another massive breach of personal information from happening again.

via Federal department bans use of portable devices after personal data breach |

Their loss of more than half a million student loan borrowers’ data has led to class action lawsuits.  A missing external hard drive is the hardware piece of this breach; the fact that this drive contained unencrypted backups is the behavioural issue.  Perhaps we need to start thinking about how to train end users on the consequences of moving data from “the system” to any place else, even for backup purposes.

Is there a solution?

I have more questions than solutions here, though.  Usually enterprise backup solutions involve software plus a server or external service.  I’m not sure why HRSDC was using a portable hard drive for backup.  They are harder to manage, they tend to walk away, and they aren’t that reliable.  So I’m going to guess here that this device was a personal device or being used to sneakernet files from one location to another.  Perhaps from office to home, or from office to office.  Both of those scenarios bother me because they most likely were not official methods for doing these tasks. 

I don’t think there’s one answer.  Training, policy, inspections, consequences, real monitoring and protection, more training, more inspections, some tough decisions.  It’s a complex issue that will require complex responses.  I’d like to hear what other organizations are doing to mitigate data breaches.

Utah Health Department – Yet Another Flashdrive FAIL (YAFF)

Jan 18, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach, Data Stewardship  //  2 Comments

Red USB Drive

I think we need to have an industry acronym now that this seems to happen every week.  My proposals:

  • Yet Another USB Breach (YAUB)
  • Blame A Thumbdrive (BLAT)
  • Yet Another Flashdrive Fail (YAFF)

I like the YAFF one best, so I’m going with that, even though the #FAIL really isn’t in the hardware, but in the abuse of policy and hardware to cause a data breach.

This week’s YAFF announcement comes again from Utah, where a contractor with access to sensitive health data lost a USB flash drive somewhere between Salt Lake City, Denver, and Washington, DC.

What’s different about this news story is that we get more insight as to why that data was on a portable device.  And it’s just as I prognosticated in a previous post: the contractor was frustrated with an infrastructure issues.

The contractor, Goold Health Systems, handles Medicaid pharmacy transactions for the Health Department.Department spokesman Tom Hudachko said the GHS employee, identified only as a woman from Denver, was having trouble with an Internet connection Thursday while trying to upload the data to a server. The employee saved the personal information to an unencrypted USB memory stick and left the Health Department with the device. The employee lost the stick sometime in the following days while traveling between Salt Lake City, Denver and Washington, D.C.

(emphasis mine)

via Utah health department reports another data breach |

The contractor lost her job over this.

People Forget Policy When They Are Frustrated or Stressed

I once found a QA contractor cursing at his computer because he was having trouble sending a large file via his Hotmail account.  I offered to help.  When he showed me what he was doing I just about had a heart attack.  He had been trying to send our offshore contractor a copy of a production database backup.  This backup contained names, addresses, phone numbers, credit card information  (no, the legacy system shouldn’t have been storing this information, but it did), SSNs, Driver’s license numbers and other forms of ID. It was an identity theft treasure chest of awesome.

When I asked him why he was trying email this information to our offshore contractor he said he was frustrated that corporate email system would not let him email such a large file.

He told me the only reason he did this was that he had to get the bug logged and fixed before the weekend because he had plans to be away.  He also forgot that production data was never supposed to leave the building.    I’m not sure he ever really felt that what he was doing was wrong, or had any idea why emailing sensitive data was wrong.

The other shock I got was that it was a production DBA who had given him the backup.  When I asked the DBA why he did this without even asking what it was for, he said "I was really busy and didn’t have time."

I wonder just how many times this scenario plays out every day in offices around the world.

Love your data, even when you are stressed.  Especially when you are stressed.

B.C. Health Ministry Data Breach Affects Millions

Jan 16, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  1 Comment

USBBottleOpener - Karen Lopez

News about yet another health data breach comes, with millions affected.  The largest breach of about 5 million people involves yet again, a USB drive.

I could see why a CIO would want to order the disabling of all USB ports on corporate computers. Then will someone is going to come up with a “USB Drives Don’t Breach Data, People Do” solution?

I’m still wondering why the tech community can’t come up with a solution to this ongoing attack on people’s data.   In these cases, is it that the employees just didn’t care about the people? Were they feeling pressure to just get the job done?  Did they not know that sensitive data was on these devices?  Perhaps they were just sharing one of their USB bottle openers like the ones I collect?

– June 2012: The health data of about 38,000 individuals was shared with a researcher. The data was linked to Statistics Canada community health survey information. The disclosure of the information breached an agreement with the federal government.

– June 2012: A USB stick which contained a plain text file of 19 types of health data was provided to an authorized ministry contractor. The file included personal health numbers and health conditions – such as Alzheimers – for about five million individuals over several years. Against policy the data that was neither encrypted or made non identifiable.

– October 2010: Health Ministry data containing the personal health numbers of about 21,000 people – with diagnostic information for about 262 chronic diseases conditions – was shared on a USB stick with a researcher without a request being approved.

via B.C. Health Ministry data breach affects millions – 38,000 will receive letters – Local – Times Colonist.

Disabling USB ports seems like the wrong approach.  Right now I’m leaning towards criminal prosecution of people who are careless with our data.

Love your data.  Because it’s really our data.

Global Payments Data Breach Tab: $94 Million, Plus More in 2013

Jan 13, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  1 Comment

CreditcardiStock_000014000007XSmallOne of the most common discussions I have with other data professionals is “why do we keep having so many silly data breaches?”  It seems to me that the data put at risk is done so by sloppy IT practices and negligent employees, not always via hackers and fraudsters.  In this case, it appears it was both.  Reports and rumours point to insecure system admin practices and outside hackers.  We don’t know for certain, because in the US data breach laws are patchy and weak.

Usually the discussion comes around to talking about US companies not having to face many consequences for failing to protect our data.  Take a look at this quote about the GlobalPayments breach of 1.5 to 7 million merchant account holder data:

Global says it has now paid all fines related to non-compliance and has reached resolution with certain card networks, although it did not specify which ones. The processor also says its business has not suffered as a result of the breach.

“The impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial,” Global states. “We continue to process transactions worldwide through all of the card networks.”

via Global Payments Breach Tab: $94 Million – BankInfoSecurity.

Global has spent almost a hundred million dollars on this breach and expects to have to shell out another $25-25 million in 2013.  And yet with those numbers they don’t believe it has had a negative impact on their business.

Global handles Visa and MasterCard payment processing of about $120 billion (yes, with a “b”) in payments annually.

Their annual report also seems to imply that they were not PCI-DSS compliant when the breach occurred and Global has been removed from the list of organizations that is compliant.  So billions of dollars and millions of account information pass through their non-compliant networks.  Because it can.

I wish more companies would treat our data as something that needs to be protected.

Health Data Breaches – Insider Data Trading?

Jan 9, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach, Data Stewardship  //  1 Comment


It seems like the majority of health data breaches I read about are via insiders with access to patient information systems stealing and selling their data.

Federal authorities say Sergei Kusyakov, who was involved with Metro Chiropractic and Wellness Center and City Lights Medical Center, illegally obtained private information about patients through Dale Munroe II and his wife, Katrina Munroe, who worked at Florida Hospital’s Celebration campus.

Authorities said Dale Munroe accessed more than 763,000 records for patients treated at various Florida Hospital locations. He focused on patients who were in automobile accidents, and inappropriately reviewed in detail more than 12,000 patient records.

via Florida Hospital patient data theft: Man admits to paying hospital employees to steal patient data –

The interesting part of this is that first it was the husband stealing the data, then when he was fired, his wife took up the work.  I would think that there would have been better monitoring of her data access in this case, given the highly-sensitive nature of the data.

Does your organization sufficiently monitor data access to sensitive data?  Are you told that you should be using production data for testing of IT development solutions?  Do you know that may be illegal in some jurisdictions?  
I’ve always refused to accept production data for testing purposes.  I think if all data professionals would do that, it would help everyone understand just how risky it was.

Loving your data involves protecting it, too. It’s our job as data professionals to ensure organizations do that.

An Audible Data Privacy Breach

Jan 2, 2013   //   by Karen Lopez   //   Blog, Data, Data Breach  //  3 Comments



RI labor dept. warns of possible privacy breach.

I think about data encryption, physical access controls to servers and such on a regular basis. But there are all kinds of formats via which data gets stored or communicated.  The Rhode Island Department of Labor recently had a data breach involving their call center.  Customers were able to hear conversations on other calls.  The department estimates fewer than 700 people were affected.

  • Paper forms in which data is originally collected.  Think membership forms, applications, feedback and suggestion forms.  I remember seeing a binder full of membership forms being used to prop open a door on the sidewalk in front of a store.  When I pointed out to the manager that this was a problem, he shrugged and said it wasn’t a problem because all the data had already been keyed in and therefore no longer had any value to them except when the systems were down.
  • Video and photographs.  The advent of video analytics and photo analysis means that we are collecting, storing, and putting at risk more data than ever before.  I remember seeing a retailer’s security video tapes sitting all lined up on a counter at the back of a store.  The only thing that made this somewhat safe is that most likely the security system was probably so poor it would be impossible to determine who was on those videos.  But now video analytics allow retailers to determine when you visit their store, who you shop with and what products interest you.
  • Conversations.  Yes, all those "may be recorded for quality purposes" call center calls are most likely chock full of your personal information.  I worry how well those data sets are being protected, too.

I believe our role as data professionals should go beyond protecting the data held in a traditional database.  Because I’m not sure anyone else is even considering that data.  And I’d bet the bad guys are betting that no data professional is involved in protecting it.

Love your data.  Love your customers’ data, too.

Stolen Laptop Affects 34k Patients–Can You Spot the Problem?

Apr 3, 2012   //   by Karen Lopez   //   Blog, Data, Data Breach  //  No Comments

A recent CMIO post describes the data breach of 34,000 patients’ personally identifiable information.

A former contractor’s personal laptop containing patient information was stolen, according to a statement from Larry Warren, CEO of the hospital. “This information was downloaded in violation of Howard University Hospital policy,” he wrote.

I’ll give you 30 seconds to spot 3 problems with the situation.  Tick, Tock.

I can see three especially worrisome problems:

  • Information was downloaded in violation:  I’m guessing that there was no monitoring of downloads of sensitive data at this medical institution.  This sort of monitoring may have prevented this data from leaving the building.
  • Former contractor:  So a person who had access to this sensitive data was allowed to leave the organization with it. I personally refuse to put data such as this on my own devices, mainly because I do not want the liability of having to protect it or report it if something were go wrong.  I am usually the only person on the project who refuses.  However, I have never even been asked or reminded about removing any company data from any of my storage devices when I go on to other projects.
  • Personal Laptop:  I sometimes use my own equipment when working at a client and that is normally due to the fact that client systems are often less powerful than my own and they don’t have licenses for tools that I need to do my job..  But I’d rather use systems that have enterprise-class security, encryption and monitoring.  I wish more corporate systems supports such practices.

2010-10-01 22.19.19Since the article did not mention that the data was encrypted, I’m guessing it wasn’t.  I’m also wondering why this ever got reported…most former consultants would not do so, I’m guessing, if they had the data in violation.  Perhaps the laptop was recovered and the breach was reported that way.

I’ve previously blogged about how poorly medical data is protected.

This sort of data breach makes me mad. It’s nice that the hospital says that they are now “implementing enhanced security measures”, but why didn’t they do that before? Did their compliance officer recommend it but management said “no, too expensive”?  Did their DBA say “the database is encrypted, so we are covered”?  Did the former contractor take the data maliciously? Did he have to put it on his personal laptop? Why do we continue to treat data as if it is someone else’s problem to manage?  Do we not understand that we have a professional obligation to protect patient data?  Even with legislation it seems the message still isn’t making it through to everyone.

Does your organization have security monitoring in place to protect patient or customer data?  If it doesn’t, have you recommended that it do so?  Go do it, now.


Subscribe via E-mail

Use the link below to receive posts via e-mail. Unsubscribe at any time. Subscribe to by Email