The Montgomery County Department of Job and Family Services in Ohio has alerted approximately 1,200 people that a USB drive with sensitive information has been misplaced. It wasn’t mentioned whether disk encryption like AlertBoot was used to secure the contents of the data.
However, the department has announced that it “does not think the drive was found and accessed by anyone.” There is a fine line between “think” and “hope.”
Contained SSNs and Names
According to whiotv.com, the USB thumb drive was found to be missing on August 24. The device contained names and Social Security numbers for 1,200 people who had received helped from the county department between 2005 and 2010.
It was not revealed why such an inordinate amount of information was stored on the USB drive. Was it for backup purposes? For research and compiling statistics? Or perhaps because someone wanted to work from home and needed to take the data somehow?
I’m not saying that such information should not be stored on USB disks, mind you. With the proper protection in place, such as whole disk encryption, it doesn’t matter how big or small the device happens to be.
On the other hand, it should be pointed out that the best policy is not delete any data you are not using, and not carrying it around with you. While the odds of a data breach are very low when using personal data encryption, it cannot approach the guaranteed risk of zero when data is deleted.
“Nothing Happened” Does Not Mean Nothing Will Happen
What bothers me most about this story is the department’s announcement that it does not think that the disk was accessed by anyone. Where did they get the evidence to think in such a manner?
If USB disk encryption had been used, there would be no argument. But, seeing how this is probably not the case, where did Montgomery County get credible evidence to think that no one’s accessed it?
It’s not as if USB disks have legs and disappear on their own. The fact that it’s missing means someone must have taken it somewhere. Plus, do I need to remind people that SSNs are for life? Even if the information is, indeed, unaccessed today, there is always the chance that someone might happen on it two, three, ten years from now and make use of the information.
Related Articles and Sites: