Pogowasright.org is reporting that Central Collection Bureau (CCB), a private company in
Why is this bad news? Because the information was stored as a clear text file. That is, the contents were not encrypted. The information in question includes dates of birth, last known address, names, Social Security numbers, and, in some cases, medical codes (not sure what they are; hopefully, they’re just internal codes used by a hospital, and not the government, making them nearly useless for ID thieves). Plus, the lost information is not in some proprietary backup tape format: the perps only have to turn the computers on to gain access.
The good news, if you can call it that, is that the computers have the weakest form of protection available, the digital equivalent of the little chain for your home’s front door: password?protection. However, my guess is that it won’t prove to be a foil. Whoever stole the computers had to go through three locked doors. At a collection agency. The guy (or guys) really wanted to get those computers and, while this is speculation, it must have been for the data (what else would you find at a collection agency?) And if that was the objective, then a little thing like password protection shouldn’t be a problem. Besides, depending on what constituted as their server, hacking may not be necessary at all: the thieves could just pop out the hard disk and hook it up to another computer and read the contents that way.
People often complain about sensitive data being transported about in a laptop, clucking their tongues and wagging their fingers about data retention in secure servers. Time and time again, thieves have shown that servers in a “secure” location are not secure unless one has something akin to
Sure a closet (even one with three locks) may not seem that secure. However, financial issues are always a factor when it comes to security. Does one really expect a small or medium-sized business (SMBs) to spend upwards of $10,000 annually for a handful of computers that lose half their value the moment they’re purchased? Especially when “security” is a non-performing asset? (That means security doesn’t roll in the dough). Nope, they’re gonna stick those computers next to the broom. What else are they going to do? They can’t keep servers in an unlocked closet.
What SMBs need is a way to secure what’s important without denting them too much when it comes to the bottom line: encryption, either full disk encryption or file encryption (maybe even both). After all, in such instances what everyone is upset about is the loss of the data, not the loss of the computers themselves (well, with the exception of the company). So, what’s really important is to protect the data. Data protection solutions like AlertBoot were made for such instances. Easy and fast to deploy, and offering the latest and strongest encryption methods approved for civilians, AlertBoot is possibly the most hassle-free way of securing one’s computers, be they servers, laptops, or even PDAs. Try to get something stronger and the NSA will show up at your door.
CCB sure could have used some type of encryption on their computers. Now, the only thing it can do is try their best to contact all people affected; however, the nature of the affected may mean it’ll be hard to track down a good number of them. On the other hand if these people’s credits are on average really bad…well, no sense in carrying out ID theft, right? Maybe it’ll work out in the end.