Modernizing Authentication — What It Takes to Transform Secure Access
Another week, another data breach resulting from the theft of an unencrypted laptop: in the past few weeks, a brokerage firm, a health district, a retirement community, a hospital and an oil change franchisee have all begun notifying hundreds of people that their personal information may have been exposed.
In all cases, the laptops were password-protected but not encrypted.
As Rapid7 global security strategist Trey Ford recently told eSecurity Planet, "Encryption technology exists, it’s pervasive, every major operating system in production used today has it or has it available, and it’s not even terribly expensive."
The challenge, Ford admitted, often lies in managing it. "There are concerns about, 'What if the admin leaves, or what if we get locked out of something?' -- and those are valid concerns -- but those problems have been solved, they’re addressable, and organizations not using encryption should be the exception, not the rule," he said.
When you fail to encrypt sensitive data, you're taking a significant risk -- as demonstrated below.
Brokerage clients' data
Brokerage Sterne, Agee & Leach recently began notifying an undisclosed number of clients that their personal information may have been exposed when an unencrypted but password-protected laptop was stolen on May 29 or 30, 2014.
The data on the laptop included the names, addresses, account numbers and Social Security numbers for some of Sterne's current Private Client Group customers, and for past and present customers whose accounts were opened between July 1, 1992 and June 30, 2013.
"While we are confident that this was an isolated incident, we have taken additional steps to secure all customer data: all laptops are now encrypted, data information security policies have been enhanced and employees have received additional instruction on data security protocols and compliance," company CEO Eric D. Needleman wrote in the notification letter [PDF].
All those affected are being offered a free one-year membership in Experian's ProtectMyID Alert service.
Children's vaccine records
On May 30, 2014, a laptop belonging to Texas' San Antonio Metropolitan Health District was stolen. The laptop held fewer than 300 children's immunization records, including the provider's unique assigned identifier and the patient's full name, birthdate, and vaccines administered.
"There is no indication that the theft specifically targeted the data stored on the device," the City of San Antonio said in a statement. "The theft was immediately reported to the San Antonio Police Department and is currently being investigated. To date, the stolen laptop has not been recovered."
All those affected are being advised to monitor their health insurance statements for any unusual activity.
Retirement home employees' data
On June 13 or 14, 2014, a password-protected but unencrypted laptop was stolen from a Watermark Retirement Communities employee's car. The laptop held an undisclosed number of current and former Watermark employees' names, addresses, phone numbers, email addresses, birthdates and Social Security numbers.
"We have been advised by authorities knowledgeable in this area that the thief was likely interested only in stealing the hardware and will be unable and/or uninterested in accessing the information on the hard drive," Watermark president David Barnes wrote in the notification letter [PDF].
As a result, no credit protection services are being offered to those affected, though all recipients of the notification letter are being advised to consider placing fraud alerts on their credit files and to "be particularly vigilant for incidents of fraud and identity theft."
"Rest assured that we at Watermark take this situation very seriously and have taken steps to protect data from further incidents of this type," Barnes wrote. "For example, we are actively investigating ways to enhance data security on laptop computers, as well as reviewing policies, practices and training as they relate to the use of laptop computers for company business."
Current and former employees with questions are advised to contact (800) 597-6618.
Hospital patients' information
On June 17 or 18, 2014, a laptop was stolen from California's Riverside County Regional Medical Center. The laptop held 563 patients' names, birthdates, medical record numbers and nerve conduction study test results (h/t SC Magazine).
"We have no reason to believe the computer is missing because of the patient information it contained," assistant hospital administrator Jan Remm said in a statement. "But, our job is to safeguard our patients’ privacy and that’s what we are focused on doing."
All those affected are being notified, and the hospital says it's working to minimize the risk of future incidents by encrypting patient data, using locks to secure laptops to carts, and developing advanced security access in areas where sensitive patient information is stored.
Patients with questions are advised to contact (877) 500-1255.
Jiffy Lube customers' data
On June 24, 2014, a password-protected but unencrypted laptop belonging to Jiffy Lube franchisee Heartland Automotive Services was stolen. The laptop held an undisclosed number of customers' names, addresses, birthdates and Social Security numbers.
With a striking sense of optimism, Heartland president and CEO Jim Marcum wrote in the notification letter [PDF], "We have no reason to believe that your personal information has been compromised, as the computer is question was password protected."
Still, all those affected are being offered one free year of identity protection services from AllClear ID.
Photo courtesy of Shutterstock.