LeicesterCare, an elderly care service operated by a UK council, is in the midst of resetting 2,000 home access key codes after experiencing a data breach. A USB key holding details for 4,000 patients was lost. Although the council hasn’t come out and said it directly, it’s implied that disk encryption was used on the missing memory device.
Key Codes Used To Access Homes
LeicesterCare had in its possession a USB flash disk that contained medical information for 4,000 elderly patients that required looking after. The disk also contained 2,000 key codes which were used to open a container that held keys to patients’ homes (think: a better solution to keeping your key under the welcome mat).
Generally, the loss of a USB device with sensitive data translates to something of an “abstract” risk: phishing scams, identity theft, etc. These crimes and their ramifications are real, of course; there’s nothing abstract about them. However, they lack the certain “kick to the gut” intensity of other, more direct crimes, such as spotting your car devoid of tires and on top of cinder blocks.
In this sense, LeicesterCare’s case is possibly one of the worst USB key data breach instances I’ve heard of.
Encryption Software was Used, I Think
After waiting a bit to see if the memory stick would turn up, the council overseeing LeicesterCare contacted affected parties and the Information Commissioner’s Office. A spokesperson had this to say:
…we have been assured by our supplier the information on the device is not accessible to anyone who may find it, we are taking every precaution and we are urgently carrying out changes to the keysafe codes of around 2,000 users. [dailymail.co.uk]
In this day and age, it takes either a stupid but bold person or an honest one to say that information cannot be accessed. Assuming the above supplier is honest (and knows what he’s talking about), it can only mean that encryption was used to protect the data on the now-missing device. How else could you make the claim?
What’s with changing the key codes? Merely being smart: just because encryption proffers some of the best protection around when it comes to data security doesn’t mean you can’t do better.