In The Digital Age, The Sun Never Sets On The (Former) British Empire: Canada Has Laptop Security Woes, Following UK And India.

Or at least, it certainly feels like it.  In addition to last week’s UK government public relations fiasco with the two lost CDs—and the other post I had regarding a break-in into an Indian government military research lab, where three computers got stolen—there are reports from Canada that a consultant for the Provincial Public Health Laboratory (PHL) of Newfoundland and Labrador took home from a laboratory a laptop containing patient information, creating a data breach.


From the reports, it doesn’t sound as if the laptop was stolen from the consultant.  Rather, and this is freaky as hell, a security researcher called up the consultant in question at home, letting the consultant know that the researcher was able to access the data, via the consultant’s internet connection.  Can imagine?  You’re minding your own business, doing some government work when a guy calls in to let you know, “I can see your data.”  It feels like the fourth sequel to I Know What You Did Last Summer; quick, someone get in touch with Jennifer Love Hewitt’s agent.


What’s surprising to me about this is that a security researcher, of all people, finds out about this data breach and calls the guy to alert him.  What were the chances?  Of course, they way they paint Canadian politeness and conscientiousness, you’d believe that Canadian hackers (or crackers, if you prefer) would do the same….


Anyway, the Canadian government has promised a full investigation.  The data exposed included test results for HIV, hepatitis, and other infectious diseases; Medical Care Plan numbers; age; sex; and the name of physicians.  I guess it’s more than enough information for carrying out medical insurance scams.  Or calling up someone and blackmailing them. 


And, of course, the Health Minister Ross Wiseman had to assuage the fears of the PHL’s internal security practices possibly resembling those of the UK government’s.  He said that this one incident is an isolated situation, and it doesn’t reflect the integrity of the systems in the laboratory or the company that provides IT services to the PHL.  The consultant in question breached policies and, obviously, a computer taken outside of the security zone (the lab premises, in this case) cannot be protected any more than the village idiot who runs outside the fortress walls during a siege (my words, not the Health Miniter’s).


I agree with Mr. Wiseman.  I also agree with countless of other people who time and time again point out, when similar data breaches occur, that policies always failI (which is only logical; the data breach is there because the policy failed).  Now, that doesn’t mean that policies don’t work, nor does it mean that they’re not necessary.  Quite to the contrary, policies work most of the time; most people follow policies.  But when you have a situation where all it takes is one instance of someone not following or being ignorant of an organization’s data security policies, most of the time is not good enough, since it will result in a (big) problem some time, at least in this day and age.


If organizations are going to rely on policies to create a data-safe environment—as opposed to just using unenforceable policies to cover their butts later on—perhaps what they should include is a policy that can prevent individual employees from breaking said policies (i.e., end users of the computers); it seems like 80% of the problems originate from renegade employee acts.  Policies such as “all computers must be encrypted” would be easy to implement and helpful with services such as AlertBoot.  You can deny employees the capability to uninstall encryption (which would lead to a security breach) while allowing decryption (so that workers can actually use their computers while the data is still protected with encryption); so even if they take home their work laptops, breaking one set of company policies, at least the information on those laptops are protected due to another set of policies if unforeseen circumstances were to arise.


So…any takers on whether there will be an Australian government data breach this week?

Comments (0)

Let us know what you think