November Data Breaches: Learn from Others' Mistakes
In this first of two parts, we look at what security professionals can learn from data breaches that occurred in November 2013.
Each month, eSecurity Planet looks back at data breaches we've covered over the past 30 days or so, providing an admittedly unscientific but potentially interesting overview of the current breach landscape.
To get some perspective on the current threat landscape, eSecurity Planet spoke to F-Secure security advisor Sean Sullivan. In this first of two parts, we list the past month's breaches by category, noting what happened, what data was exposed and what the organization is doing in response - along with Sullivan's thoughts on many of the breach categories.
Later this week, we'll feature more of Sullivan's insights.
Burglary/Loss: Education and Encryption
When considering ways to mitigate the potential impact of a stolen device, Sullivan says it's crucial to keep in mind that full disk encryption is much easier to implement than it used to be. "We've been doing full disk encryption at F-Secure since I came here in 2006, and it was more painful in 2006," he says.
And simply providing employees with better laptops, Sullivan says, can also help. "My work laptop has a solid-state drive, it boots up in less than 30 seconds, and it's light and portable; I wouldn't leave it in the car," he says. "It's not difficult to lug around."
Providing employees with training and with a clear sense of responsibility for the data they're carrying around can also make a significant difference. "It's about providing security awareness that there's stuff on that laptop, and if you're carrying around intellectual property, you lose it, you bought it - and you also bought the intellectual property on there," Sullivan says. "So if we give you a bill for $50,000 of damage, you might not want to leave that laptop lying around."
"You can't train people to be always aware, but you can say, 'By the way, that laptop's worth more than the five hundred bucks for the laptop - you've got thousands of dollars worth of damage to the company on there if it gets lost,'" Sullivan says. "And then people remember, 'Oh yeah - I can't leave this thing behind.'"
A flash drive containing thousands of City of Milwaukee employees' personal information was in a car belonging to an employee of Dynacare Laboratories when the car was stolen. The drive contained approximately 6,000 city employees' names, addresses, birthdates, Social Security numbers and genders, along with the names of approximately 3,000 spouses and domestic partners of those employees.
The names, mailing addresses, email addresses, phone numbers, birthdates, Social Security numbers, salaries and 401k balances of an undisclosed number of Clarity Media Group employees may have been exposed when a laptop was stolen from the car of a Clarity Media Group subsidiary's employee. Those affected include current and former employees, as well as employees of Clarity Media Group's subsidiaries.
Kidney care and dialysis company DaVita notified 11,500 patients and some employees that their names, diagnoses, insurance information and dialysis treatment information may have been exposed when a password-protected but unencrypted laptop was stolen from an employee's vehicle. For approximately 375 patients, the data also included their Social Security numbers. Free credit monitoring services are only being offered to those patients whose Social Security numbers were exposed.
An undisclosed number of Kaiser Permanente Orange County Anaheim Medical Center patients' names, medical record numbers and birthdates may have been exposed when a USB flash drive went missing. It's not clear where the drive was last seen, whether or not it was encrypted, or what steps the company is taking in response to the breach.
The personal information of 1,039 patients at California's Redwood Memorial Hospital may have been exposed when an unencrypted thumb drive was lost. The drive may have contained the patients' names, the facilities and addresses where services were rendered, report ID numbers, test indications, ages, heights, weights, test recording and analysis dates and times, and clinical summaries of test findings.
The personal and health information (including birthdates, medical record numbers and Social Security numbers) of 8,294 patients at the University of California San Francisco (UCSF) may have been exposed when a laptop was stolen from a physician's locked vehicle. Although the physician believed the laptop was encrypted, that couldn't be confirmed.
The personal health information of more than 7,100 patients at Ohio's University Hospitals (UH) may have been accessed when an unencrypted hard drive was stolen from the vehicle of an employee of a third-party vendor that was upgrading UH's computer systems. Patients' names, home addresses, birthdates, medical record numbers, insurance provider information and information about medical treatments were exposed, along with 33 patients' Social Security numbers. Free credit monitoring services are only being offered to those patients whose Social Security numbers were exposed.
Employee Error: Improve Relationship with IT
The likelihood of an accidental data breach can be decreased, Sullivan says, if you simply work to improve communication between employees and IT.
"People don't want to ask questions if they think they're stupid questions," he says. "There's too much in IT about blaming the user, 'stupid user this, stupid user that,' and I really get annoyed with that, because the only dumb question is the one not asked. So you have to make an effort to offer some security awareness training so people know that there are legitimate questions to ask, and then encourage them to ask questions when something doesn't feel right. Then you'll have a better success rate in nipping things in the bud."
"You can't train people to be guards, but you can train them to go ask a guard for help," he says.
Bill Gardner, an assistant professor who teaches Digital Forensics and Information Assurance at Marshall University and president and principal security consultant of Blackrock Consulting, offered similar advice during a recent presentation on how to offer security awareness training that really works. "You are further educating educated people" who unlike you are not experts in security, he said. "Don’t call them stupid."
An undisclosed number of physicians' names, business addresses and Tax Identification Numbers were mistakenly made available in PDF documents posted to Anthem Blue Cross' website. For those who use their Social Security numbers as their Tax Identification Numbers, their Social Security numbers were exposed. All those affected are being offered one free year of identity protection services from AllClear ID.
California's Employment Development Department mistakenly provided an undisclosed number of people's confidential information, including their full names and Social Security numbers, to employers for whom they hadn't worked.
Cpl. Keith Hamilton of the Muscogee County Sheriff's Office sent an email throughout the department that contained several female employees' personal information, including their names, the serial numbers of their body armor and their physical characteristics including their height, weight, chest and bra cup sizes.
A former employee at Rotech Healthcare took a personal computer containing sensitive information with her when she left the company. "Our former employee appears to have removed this personal information inadvertently," Rotech chief privacy officer Robin L. Menchen said. Data potentially compromised includes Rotech employees' names, addresses, Social Security numbers, carriers administering their healthcare coverage, and/or information about medical or pharmacy services rendered. All those whose Social Security numbers may have been compromised are being offered a free one-year membership in Experian's ProtectMyID Alert service.
A file containing an undisclosed number of names, addresses, birthdates and Social Security numbers was inadvertently disclosed on the system of a vendor working with Standard Insurance Company. All those affected are being offered one free year of identity theft protection services from ID Experts.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.
By Jeff Goldman
November 25, 2013
Planned events include webinars, a bilingual Twitter chat, and regional events in California, Maryland, Nevada, Virginia and Washington.