The Oklahoma Employment Security Commission has alerted more than 5,500 people that their private information was on a lost flashdrive. Drive encryption was not used to secure the contents of the missing drive, which could be problematic.
The private information included names and SSNs, and the earnings of corporate officers at more than 80 businesses.
According to spokesman John Carpenter, an employee copied the information to a flashdrive when his computer became infected with a virus. The flashdrive was subsequently lost during a conference trip in Dallas.
The above story is amusing (ironic?) in the sense that the employee was concerned enough to copy data off of a computer because of a virus, thus practicing data security, but not concerned enough about losing a USB disk. He should have had the content encrypted.
I think I read a comment somewhere how the employee involved in the breach should be investigated for “criminal intent.” Are you kidding me? People don’t report the loss of data if they had a criminal intent to begin with. Most likely, the only thing “criminal” about this the amount of hubris the employee showed by assuming that everything would be perfectly safe.
Unfortunately, this hubris is hard-wired into every one of us. If I’m not wrong, some study showed that 80% of people believe that they’re better than average drivers, which can’t be correct when you work out the numbers: at least 30% are wrong. And study after study shows that we overestimate how good we are at something.
It’s the same sense of superiority that has people thinking, “hey, it’s not going to happen to me,” leading to hilarious results that end up videotaped and shown on YouTube.
Lack of Encryption + USB Flashdrive = Déjà Vu
I’ve already covered a couple of stories regarding USB security, including how to provide USB protection when it comes to accessing the hardware ports on a computer (hint: it doesn’t involve super-gluing parts).
What the OESC may want to do is to put better data security in place–slightly restrictive ones. The breach happened because information was copied off to a USB drive. The use of whole disk encryption on office USB sticks would minimize the chances of a data breach.
And if company policy is to never have data copied off computers (CDs, USB flashdrives, external HDDs, etc.), then they should just block the USB ports.
Related Articles and Sites: