Databreaches.net has linked to a story of how staff members at the Fayetteville School District in Arkansas have fallen victim to ID theft–and nobody knows how (at least not yet). The one commonality among all victims is that they’re registered with a company that provides health and dental insurance. Looks like an outside breach, which, depending on the situation, could have been prevented with the use of hard drive encryption software.
Was Third Party The Source of The Data Breach?
So far, 30 teachers, librarians, and counselors were targeted, with one of them having received a bill for $4,000. Apart from the fact that they were being served by the same insurance company, all victims have last names that fall between the letters A and G.
We shouldn’t yet assume the insurance company as the source of the breach. One has to ask, “how many people that work for the Fayetteville School District, whose last names start from A though G, and are being served by the insurance company, are not victims?”
And, if there’s plenty of non-victims, is it because the criminals haven’t had a chance to defraud everyone? Or is because it happens to be a huge coincidence (the ties to the insurance company, I mean)?
Similarly, it could be that the “A through G” pattern stands out because the criminals have decided to commit fraud on an alphabetical basis, and haven’t reached beyond “G” yet. Or, it could be that they managed to gain a partial list only.
On the other hand, I wouldn’t be surprised if the above were indeed due to the theft or loss of a laptop or external hard drive by a third party. It happens quite often. The GAP, for example, experienced a third party data breach about two years ago that affected 800,000 job applicants.
How can one prevent third party data breaches? Short, blunt answer: you can’t. However, a company could state in contracts that third parties must use data protection software like full disk encryption on all of their company laptops. This way, if something untoward happens, the data is protected.
However, that company must also follow up to ensure the terms of the contract are being kept by the third parties. Performing an encryption audit, for example, is required. The GAP had encryption on laptop computers stated as a contractual term, but…well, we know how that turned out.
Related Articles and Sites: