Stolen laptops continue to be a frequent cause of major data breaches across a wide variety of industries from healthcare to education, despite the fact that encrypting sensitive data would eliminate the risk of such breaches entirely.
According to the SafeNet Breach Level Index, a total of 237 data breaches exposed more than 175 million customer records worldwide in Q2 2014 alone — and less than one percent of those breaches were “secure breaches” in which strong encryption prevented the data from being used.
“While it’s not surprising that sophisticated cyber criminals are gaining access to critical data stores, what is surprising is that only one percent of breached records had been encrypted,” SafeNet chief strategy officer Tsion Gonen said at the time. “The benefits of encryption have been known for some time, but companies just aren’t doing it.”
New Mexico State University
The Albuquerque Journal reports that an unencrypted laptop stolen in June 2014 from New Mexico State University (NMSU) held 171 students’ names, birthdates, Social Security numbers and other personal information.
Affected students weren’t alerted until August 11, 2014, when a letter notified them that the suspected thief, 19-year-old Oscar Quintana, had been arrested, but that he “had disposed of the stolen laptop containing the personal information prior to being arrested.”
“It appears that the thief was not targeting data, but rather items that could easily be sold and therefore the likelihood of data being misused is very low,” NMSU chief information officer Norma Grijalva wrote in the notification letter.
Grijalva told the Journal that it took the university until August 11 to determine which students’ information was on the laptop. “By law we have 60 days to notify victims,” she said. “We were within that timeframe.”
Cedars-Sinai Medical Center
The Los Angeles Times reports that Cedars-Sinai Medical Center recently began notifying more than 500 patients that their personal information may have been exposed when a password-protected but unencrypted laptop was stolen from an employee’s home on June 23, 2014. The lack of encryption was a violation of Cedars-Sinai policy.
“Cedars-Sinai takes the security of our patients’ health information very seriously, and has multiple security safeguards in place to protect health information,” Cedars-Sinai chief privacy officer David Blake said in a statement. “Even a potential data security incident on a single computer, as has occurred here, is not acceptable to us.”
According to Cedars-Sinai, the information on the laptop varied by individual, but included some combination of medical record number, patient identification number, lab testing information, treatment information and diagnostic information. In a “small percentage” of cases, the hospital says, it also included Social Security numbers or other personal information.
Kleiner Perkins Caufield & Byers
Two of the stolen laptops, which were password-protected but not encrypted, held an undisclosed number of KPCB employees’ names, contact information, Social Security numbers and financial account information.
“We immediately notified law enforcement and are cooperating with them in an effort to recover the laptops and to apprehend the offenders,” KPCB general counsel Paul Vronsky wrote in the notification letter [PDF]. “We are also working with expert advisors, including forensic and security specialists, to determine the scope of information that may have been compromised, and to design and implement security enhancements around our facilities and our computer systems.”
Let’s hope that those security enhancements include encryption.
But as SafeNet’s Gonen puts it, encryption is the security industry’s equivalent of flossing your teeth. “Everyone knows it’s good for you and the technology is proven, but only a small percentage of companies do it well,” he said.