Wheeler & Associates, CPA, PA have filed a data breach notice with the New Hampshire Attorney General’s Office. A break-in at Wheeler & Associates offices resulted in the theft of computers and external hard drives. Per the letter, it sounds like hard drive encryption such as AlertBoot was not used to secure the contents of the stolen devices.
Stolen Devices Had Personal Info, Were Recovered
The stolen laptops and external hard disks contained personally identifiable information (PII) including names, SSNs, and addresses. Passwords were used (although it’s not mentioned whether these were used in conjunction with encryption software), and further security was present in the form of “specialized accounting software,” which could mean anything from custom made software to QuickBooks.
It should be noted that specialized application or not, data is data. Generally, a hex editor can be used to take a look at a file’s contents if information is stored in plaintext form. In other words, you can’t claim that data was secure because “specialized software” was required.
The good news, though, is that the stolen devices were found. Apparently, two of the devices had already been formatted and installed with new software. The thieves confessed that they did not access the information, a statement that forensic reviews backed up.
Or did it?
Forensics Can Only Do So Much
How did the forensic experts know whether information was accessed or not? Especially since data had been deleted? Well, the truth is that data is not “deleted” when you delete it. Nor is it deleted when you reformat a hard drive. Instead, both actions get rid of pointers to your data files, map used to find where specific files are, if you will. Since these pointers are missing, the computer can’t find the files and, from an operational standpoint, the files are as good as deleted.
But, of course, they’re actually not. In fact, there is no such thing as data deletion when it comes to electronic data. If you want to get rid of data, you’ve got to write over it with new data. The new data displaces the old, essentially destroying it.
So, returning to the subject at hand, what did the forensic experts do? My guess is that they used a file recovery program to recover the “deleted” files; found the appropriate computer log to find data copying/transfer activities; and looked to see if any files were copied off of the computer, per the logs.
If the logs show no such activity, then the integrity of the data is uncompromised, right?
Probably. A less probable but still possible answer is that the thieves copied off the data (say, to a USB flash drive), manipulated the appropriate logs, reformatted the devices in order to sell them, eventually got caught, and lied to save their butts, knowing that no one could prove otherwise.
Now, chances are that the above did not happen. On the other hand, there’s no real way to know unless one of the thieves confesses to it.
Encryption Software Provides Security
So, how to be sure? The only way is to prevent unauthorized people from getting accessing sensitive info to begin with. For example, one could use file encryption in order to prevent a thief from accessing particularly sensitive documents. Whereas the thief can surf the internet (allowing computer tracking software to be activated) and use the computer normally, any files that are encrypted would be off-limits.
Or, if the idea of a thief using your computer disgusts you, you could get more protection in the form of whole disk encryption preventing the laptop to even boot up until the correct username and password is presented.
Related Articles and Sites: