Newfoundland Student Data Breach Affects 28,000. Laptop Security Lacking.


The Canadian Press is reporting that the Eastern School District administrative offices reported four laptops missing, presumably stolen. from a secure location with guards and security pass entry.  I’m guessing the latter is a reference to some kind of electronic key card system.


 


The information on those machines took several days to compile, and the administration has concluded that compromised information includes names, addresses, grades (not the report card, but K?to?12), health card number, and phone numbers of 28,000 students at 56 schools.

 

The laptops were protected by passwords, allowing the Eastern School District CEO to claim that access was “limited.”  

 

Hm.  I concur. Limited—just like access to a home is limited to those who hold the key or have a battering ram.  And in the computer world, the battering ram required to get past passwords is a CD with a program that is easily and freely available over the internet.  (There are other methods, but let us keep it simple, yes?)  What they should have had on that laptop is encryption, not password?protection.  What’s the difference, you ask?

 

Perhaps a simple analogy would help.  Encryption is like putting something in a safe with locks—strong ones.  Password?protection is like hiding something in a hollowed out book.  In both cases, it’s just a matter of time before each yields its secrets.  However, most would agree that the hollow book does not require much expertise to crack and would be deemed as terrible security for anything other than, say, a flask of whiskey.  Plus, it only protects only if someone is not actively looking for something.  Likewise with password?protection.  It’s protection only if someone is not looking to gain access to the stolen laptop.  Otherwise, you can expect an information breach.

 

Now, with the safe—again, it’s also just a matter of time; I don’t deny that it can’t be broken into.  But unlike a hollow book, it’s going to take a long time.  The thicker its walls, the longer it’s going to take.  If it’s designed right, dynamite won’t work.  There’s nothing left to do but drill it—possibly for days, perhaps months.  Data encryption on a computer affords one the same security.  Except “drilling” it is going to take decades, probably centuries, perhaps (and this is no joke) longer than the age of the universe as of right now.  The thief will be dead by the time he can access your data.

 

Plus, if you sign up for encryption with certain companies—like AlertBoot, which offers managed encryption services—you also get the benefit of powerful reporting, meaning it won’t take four days to figure out the extent of a data breach.



Comments (0)


Let us know what you think