Current and former employees of Regions Financial Corp are facing a data breach after a USB flashdrive that was mailed went missing. The USB device was protected with data encryption software. This is a good thing. However, the information to decrypt the data was also mailed in the same envelope as the USB device.
Ernst & Young to Blame
The Regions Financial data breach was actually caused by outside auditor Ernst & Young. An employee mailed the flashdrive and the “decryption code” in the same envelope to a different branch. When the mail arrived at its destination, the USB drive was missing. The decryption code was still there.
Employees of Regions were alerted of the breach via a letter dated January 23. The breach took place in November. Information about 401k plans were lost, including names, SSNs, and possibly dates of birth.
The situation is ironic: E&Y has released studies concerning data security. Less than two years ago, it had noted that secondhand flashdrives were chock-full of sensitive data. If I’m not wrong, they had also pointed out the need for encryption, or at least the use of better data deletion techniques.
I don’t really remember if they had pointed out why keeping the passwords for accessing encrypted data and the encrypted data in the same place is a bad idea. On the other hand, do you really need a multi-million dollar consultancy firm to point out the truly obvious?
Pick Up the Phone
What should the employee have done? Obviously, I don’t have a problem with sensitive data being sent over regular mail, as long as disk encryption was used to secure the data. But, doing so poses problems. How does one let the recipient know what the password is?
Putting the password in the same envelope is a bad idea. Putting the password in a separate envelope and mailing it is acceptable. Some might to turn email, but this also poses a problem: what if the email address is a shared one? Or, what if the recipient’s company has set up a policy where all emails are copied between a particular group’s members?
The best way to divulge the password might still be via the phone. Once the recipient has the USB device in his hands, he picks up the phone and calls the sender. Of course, there’s also the possibility of a phone being tapped.
All methods of sharing passwords are fraught with the possibility of a leak. Some, however, are much higher than others.
I should also note that the fact the decryption code was still in the envelope is meaningless: anyone could have taken and made a copy of it.
Related Articles and Sites: