I’ve got to laugh at this story I’ve come across, not because it’s funny, but because it’s wrong on so many levels. It just goes on to show why the concept of data security was conceived in the first place, and why data encryption software is required if one’s dealing with sensitive information. You know, because one’s job happens to require handling confidential government information.
The Australian Federal Police (AFP) was the source of a data breach at a hotel in Nepal. Apparently, AFP agents were sent to Nepal, a country 5000 miles away from the land down under, to investigate the October plane crash in that country (two Aussies were killed in the accident). One of these AFP agents left a USB key device in a hotel computer. It’s hard to tell from the news articles whether it was at the hotel’s business center or some other type of public-access kiosk.
One thing that can be determined, though, is that these were public computers. An unnamed guest, a non-government worker, who I assumed was involved with the plane crash investigation, deleted the sensitive information from a USB stick that was attached to a computer. And about three weeks later, deleted other sensitive information from another hotel computer as well.
According to The Age, an Australian publication, these are some of the contents:
Police photographs of charred remains, as part of the plane crash investigation
Diplomatic cables, one of them marked as “consular-in-confidence.” In other words for-your-eyes-only (the you here would be the ambassador and assorted others. But not hotel guests, I reckon)
Copies of personal e-mail, including one where an Australian agent described a CIA agent as “a bit of a footy jock but covered with some huge … tattoos (stacks of them) and dressed like a total backpacker”
Strategies for sharing information with foreign agencies (not just Nepal, I assume)
A document marked as “protected” that detailed a meeting between an AFP agent and a secret foreign military organization
Plus other stuff
Like I said, wrong on so many levels.
In some ways, the contents of the breach (i.e., the e-mail about the footy jock), and how information security was bypassed, point that the accident was bound to happen eventually. I mean, does the above sound like the results of a mistake by a brilliant guy, or the actions of an imbecile?
Take for instance, the description of the CIA agent by the AFP operative. Should anyone be surprised to find CIA operatives that dress like a total backpacker in Nepal? Let me tell you, if you happen to be non-Nepalese, the only want to blend in is to dress like a total backpacker or some other type of tourist — especially if your job happens to be to gather information while roaming the countryside — because that’s what non-Nepalese who roam the countryside do in Nepal: they backpack. You gotta blend in; an addendum to gathering intelligence is to not get caught doing it.
Then, there’s the fact that someone copied sensitive information to a computer that’s freely used by anyone who, not only is a guest of the hotel, but is able to walk in through the front doors (hm…in hindisght, walking is not really necessary; someone could wheel you in as well. Rolling because one’s monstruosly obese may be an option, too). Was this guy insane? The fact that he had access to extremely sensitive material in of itself indicates he was near the top of the hierarchy; the guy on beat patrol doesn’t have access to confidential diplomatic cables, if you get my drift. And yet, the guy who, by rank alone should know what he’s doing, makes a mistake a noob wouldn’t be caught dead in.
And last but not least, someone forgets a memory device sticking out of a computer. I’m not even going to entertain the possibility that there was USB key encryption used on the memory stick. With such clowns running the show, there’s a good chance any disk encryption software was removed in the interest of letting the guys do their job; otherwise, it would just get in their way. (There are days when I actually believe this. Today is such a day.)
There are many usb disk data security software products out there, including AlertBoot, which allows you to centrally manage encryption. Protecting sensitive data is not difficult. There’s no reason for you to get caught with your pants down like the AFP operative above.