The demise of the CD has been long predicted. After all, it’s a nearly 40-year technology, ancient by any technological standards. However, I was one of those people who didn’t quite believe that it was dead. Until today, that is, when I read of a data breach that, for me, marks the beginning of the end. The good news is that information protection using data encryption might become easier.
AdvancePierre Foods Breach Notification
According to databreaches.net, AdvancePierre Foods has notified the NH Attorney General’s Office that it lost a flash drive with employee information. Apparently, this flashdrive was sent via mail from AdvancePierre Foods to its 401K provider. The envelope was damaged, and the financial services firm alerted AdvancePierre Foods of the fact.
The small device contained names, SSNs, dates of birth, employee’s hiring date, and compensation data for 2009 and 2010. Passwords for accessing 401K accounts were not present.
It is wasn’t revealed what protective measures were on the flashdrive, be it password protection or encryption software for flashdrives.
(The former, of course, is not real data protection, as I’ve detailed elsewhere on this blog numerous times, while encryption is the real deal. However, I’d prefer it over nothing at all. In fact, the layperson can be excused for thinking that password-protection provides “protection” — the word is in there, for goodness’ sake! — but if nothing was used at all?
That’s just stupidity, plain and simple.)
Was Encryption Software Used? Notifications Being Sent
The fact that the letter was filed with the Attorney General, and that NH residents are being notified of the breach, cannot be used as evidence that the flashdrive was unencrypted. Many states offer safe harbor from breach notification letters; however, New Hampshire is not one of them.
Likewise for breach notification letters received by residents of other states: in this connected world, notifying one set of people while not notifying others is public relations suicide. And, of course, once you notify people, respective state AGs might take exception of not being notified, regardless of what the law states.
Why is this the Clarion Call for CDs?
Well, first off, I want to clarify that this is a sign of the CD’s demise to me; it’s a personal one. We all take signs from some particular event or statistic or what-have-you, and this event is mine.
Why this one? Over the past four years or so, I’ve read of many instances where a data breach was triggered due to lost mail or damaged mail. The most unique case I recall, which is not tied to a data breach, by the way, is when nuclear material was lost while being Fedexed.
Anyhow, most data breaches involving the postal system invariably revolve around CDs and DVDs. You also have backup tapes and external drives going missing in the mail; however, people don’t use backup tapes and external drives as replacements for CDs and DVDs.
Flashdrives, on the other hand, are. Some would argue that it was the rise of flashdrives that allowed Apple and other computer manufacturers to get rid of CD drives (the argument that it was the cloud that did CDs in is, in my opinion, incorrect; at least, when it comes to storage).
This is the first story I’ve read where a flashdrive was sent over the mail and caused a data breach. Granted, this is most probably not the first one to be sent over the mail; however, the fact that such a story appeared must indicate that there are plenty of these going around in the mail.
And, despite the fact that such devices are many times more costly than a pack of 10 CDs, people are willing to send them over the mail, most probably never to be returned. In other words, USB flashdrives are now considered disposable.
Yep, you can kiss CDs good-bye now. Which is not a bad thing from an encryption perspective. CDs are, as far as I know, impossible to encrypt in whole. Any encryption is first done on the file, then burned to a CD — in other words, file encryption.