The UK’s Information Commissioner’s Office is looking into a data breach that occurred in December 2011. According to channelregister.co.uk, Avnet Technology Solutions suffered a data breach on December 21 when “unknown parties broke into” their offices. Could the use of data encryption software mollified the ICO? Probably. Was it an option? Well…maybe.
Server Hard Disks Stolen
The Haslingden, Lancashire offices of Avnet were broken into on December 21, 2011. Server hard disks — and not the servers themselves — were stolen. These contained data on staff and customers related to the acquisition of Bell Micro. While channelregister.co.uk originally reported that addresses, bank account numbers, sort codes, passport numbers, and national insurance numbers were stolen, it was later contacted by Avnet, and a correction was issued: passport and national insurance numbers were not part of the stolen data.
Avnet would not confirm how many people were affected by the breach, or how many hard disk drives were stolen.
The thing about servers is that, generally, people don’t want to use disk encryption software on them because of its negative impact on system resources. It depends from server to server, of course: if a server is accessed every five seconds, then encryption software would probably not impact it negatively. However, if the server is running at 100% all the time, then that computer needs all the resources that can be spared and then some.
What kinds of servers were involved in the Avnet case? We don’t know. We do know, however, that the breached data was probably not needed on a 24/7 basis. Of course, what else was on these servers is unknown, so it’s hard to decide whether encryption would have been a viable data security measure in this particular case.
Servers Stolen All the Time
Servers getting stolen — in whole or otherwise — is not a new phenomenon. I’ve read of servers getting stolen; of their hard disks getting stolen; of data centers being broken into — in one case, by putting an electric saw to the wall — and everything inside getting stolen. It’s as if *gasp* thieves will steal just about anything.
Obviously, the occurrence of server thefts is rather low — physical security may have its shortcomings, but let’s face it, it generally works — but this is not a reason for being lax about using encryption on servers. Even if disk encryption is not an option due to performance issues, care should be taken to at least use file or folder encryption to protect any sensitive data. Relying solely on physical security (locks, cages, guards, etc.) is not an option in this day and age.