UK Disk Encryption: Make Sure Encryption Cannot Be Removed.

Databreaches.net has found an Undertaking signed by Luton Borough Council.  Like many Undertakings that the ICO has issued, it involves the loss of portable devices which contained personal data.  However, the story sparks interest because the devices in question were protected with disk encryption software.  The only problem?  It turned out that the encryption software could be removed.  There were other problems, from a DPA point of view.


More than 619 Memory Sticks.  Multiple DPA Infractions



A self-reported data breach on January 21, 2011 alerted the Information Commissioner’s Office of a data breach at Luton Borough Council.  According to the Undertaking, the council was recalling its memory sticks when it discovered that a “flaw could permit the memory sticks to be formatted, removing the encryption protection.”


Furthermore, it turned out that of the USB sticks that were recalled, 619 of them had incomplete audit records.


Removable Encryption?  Formatting Data?



There are a couple of things I should clarify here.  First, the issue of removable encryption.  All encryption software is, technically speaking, removable: if you can install it, you can remove it.  However, the last thing that you want is unapproved people removing protective measures that are in place, be it USB encryption or laptop encryption.


Hence, in certain encryption programs — AlertBoot endpoint encryption included — the enduser is not able to get rid of the cryptographic protective measure that was installed.  Obviously, as the above story shows, this is not necessarily true for everyone.  If you’re looking to meet the ICO’s DPA requirements where personal data is concerned, you should make sure that encryption software cannot be uninstalled by employees.


Second, formatting data does not erase information.  A lot of people think it does, but formatting the program is not about data deletion.  What it really deletes are references to where your data is stored.  Once these references are deleted, the computer cannot find the files and it appears that your data is gone.


However, this is only true because a computer’s operating system is not designed to scan for “unreferenced files.”  It you use cheap (or even free) file recovery software, you can recover these files without breaking a sweat.  So, the fact that encryption software was removed with the formatting of a USB disk is a very serious bug.



Related Articles and Sites:
http://www.databreaches.net/?p=20412
http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/~/media/documents/library/Data_Protection/Notices/luton_borough_council_undertaking.ashx



Comments (0)


Let us know what you think