Full Disk Encryption And Physical Security: Locked Servers Stolen.


Pogowasright.org is reporting that Central Collection Bureau (CCB), a private company in Indiana, has had a security breach that could potentially affect over 700,000 people.  According to the site, eight computers were stolen from the CCB plus a server.  Other sites claim that the server was part of the eight computers; there is a lot of confusion, with everyone trying to upload the story ASAP.  Regardless, everyone agrees that this is very bad news, and it has affected at least 159 companies (there’s a list out there in cyberspace.  Thank goodness for comma delimiting and file imports in Excel).


 


Why is this bad news?  Because the information was stored as a clear text file.  That is, the contents were not encrypted. The information in question includes dates of birth, last known address, names, Social Security numbers, and, in some cases, medical codes (not sure what they are; hopefully, they’re just internal codes used by a hospital, and not the government, making them nearly useless for ID thieves).  Plus, the lost information is not in some proprietary backup tape format: the perps only have to turn the computers on to gain access.

 

The good news, if you can call it that, is that the computers have the weakest form of protection available, the digital equivalent of the little chain for your home’s front door: password?protection.  However, my guess is that it won’t prove to be a foil.  Whoever stole the computers had to go through three locked doors.  At a collection agency.  The guy (or guys) really wanted to get those computers and, while this is speculation, it must have been for the data (what else would you find at a collection agency?)  And if that was the objective, then a little thing like password protection shouldn’t be a problem.  Besides, depending on what constituted as their server, hacking may not be necessary at all: the thieves could just pop out the hard disk and hook it up to another computer and read the contents that way.

 

People often complain about sensitive data being transported about in a laptop, clucking their tongues and wagging their fingers about data retention in secure servers.  Time and time again, thieves have shown that servers in a “secure” location are not secure unless one has something akin to Fort Knox protecting their perimeters.  Otherwise, people will store their servers in a closet somewhere.  Locked, of course.

 

Sure a closet (even one with three locks) may not seem that secure.  However, financial issues are always a factor when it comes to security.  Does one really expect a small or medium-sized business (SMBs) to spend upwards of $10,000 annually for a handful of computers that lose half their value the moment they’re purchased?  Especially when “security” is a non-performing asset?  (That means security doesn’t roll in the dough).  Nope, they’re gonna stick those computers next to the broom.  What else are they going to do?  They can’t keep servers in an unlocked closet.

 

What SMBs need is a way to secure what’s important without denting them too much when it comes to the bottom line: encryption, either full disk encryption or file encryption (maybe even both).  After all, in such instances what everyone is upset about is the loss of the data, not the loss of the computers themselves (well, with the exception of the company).  So, what’s really important is to protect the data.  Data protection solutions like AlertBoot were made for such instances.  Easy and fast to deploy, and offering the latest and strongest encryption methods approved for civilians, AlertBoot is possibly the most hassle-free way of securing one’s computers, be they servers, laptops, or even PDAs.  Try to get something stronger and the NSA will show up at your door.

 

CCB sure could have used some type of encryption on their computers.  Now, the only thing it can do is try their best to contact all people affected; however, the nature of the affected may mean it’ll be hard to track down a good number of them.  On the other hand if these people’s credits are on average really bad…well, no sense in carrying out ID theft, right?  Maybe it’ll work out in the end.



Comments (0)


Let us know what you think