Full Disk Encryption And Internal Security Breaches (Update To May State Street Incident).

The site pogowasright.org has a link to a letter of notification to the Maryland Attorney General from Exeter Trust Company.  According to the letter, State Street—who announced in late May that it had lost “computer equipment”—was a subcustodian to Exeter, and the trust is now revealing details on what happened.  It makes me wonder if disk encryption solutions like AlertBoot would have helped in this case.

 

According to the notification letter, an employee of a third party vendor hired by IBT stole a computer tower that contained four million internal e-mails with sensitive details like names, Social Security numbers, and checking account numbers.  Since one assumes these e-mails would have to be gone through one by one, it’s not wonder that it took State Street four months to figure out who to call.

 

A computer tower, eh?  I haven’t heard that term in ten years.  If they’re referring to what I think they’re referring, we’re talking about something that is about two feet or more in height.  Not an easy thing to lug around.  Stealing one of those would definitely require an insider’s help.  Which goes to show that form factor is not to be relied upon for security.

 

The question, as far as I’m concerned, is “would full disk encryption have helped in this case?”  I’m going to assume that file encryption would have been a less than ideal solution, just because of the massive number of e?mails to be protected.  I just know someone somewhere would have forgotten to encrypt at least one e-mail.  It’s just the nature of things.

 

Why am I even questioning the effectiveness of hard drive encryption?  Quite obviously, because an insider was involved.  Hmm… I probably should note that this employee is technically not an insider.  Yes, he was physically inside the venue where the computer was located; that much is clear.  However, whether he was working on the computer, or next to the computer—we don’t have that detail.  After all, he wasn’t an employee at State Street.

 

And therein lies the problem.  If he was working next to the computer, full disk encryption would have protected the e-mails and any other data stored on that computer.  One assumes that the username and password for decrypting the information wouldn’t have been taped to the bottom of the keyboard, for example.  If the thieving employee had worked on the computer, then that means he had access to the data begin with, and full disk encryption would have been of limited protection.  I say “limited” because encryption solutions like AlertBoot—which use a centrally?managed console to control the encryption of computers and access by employees—would have given State Street a chance to disable access to the encrypted drives after the theft.  Potentially, this could have prevented the thief from getting to the data, if conditions were right.

 

What’s really tragic about this story is that State Street caught the perp and managed to recover most of the equipment that was stolen.  But not the server that contained the sensitive data.



Comments (0)


Let us know what you think