Disk Encryption: UK East Lothian USB Stick Lost, Over 1000 Students Affected.

I’m late to the party as this story is concerned, but I thought it bore the marks of something that needed commenting.  Earlier this month, the East Lothian Council in the UK alerted the parents of 1,075 students that their children’s information was lost.  A USB disk was lost by a council employee.  Data encryption like AlertBoot was not used on the device.

The employee was in possession of the data in violation of council policies.

Affects Schools in Dunbar, East Linton, Innerwick, Stenton and West Barns

The council issued an unconditional apology.  According to them,

A council statement said that “in breach of council policy, an employee downloaded the records on to a private memory stick for the purpose of working from home and later told the council that the stick had been lost. It is still missing despite every effort to find it.” [eastlothiannews.co.uk]

The information on the memory stick included children’s names, school and class, emergency contacts, afterschool clubs, and possibly medical information, and affects 1,075 students in Dunbar, East Linton, Innerwick, Stenton and West Barns.  It was pointed out that the information was password-protected, although that makes a very poor substitute for encryption software.

The person who lost the USB stick was not a teacher, but a staff member.  The employee has been suspended.

Superglue for “Super” Security

The introduction of USB ports on computers was a chicken-and-egg problem.  There were very few people using USB devices, so computer manufacturers didn’t provide USB ports as a standard offering.  Since few computers had the ports, consumers didn’t see a need to buy USB devices.

This all changed when companies built USB ports on each model they sold.  There was an influx of USB device uptake by consumers…and companies all over the world started having data loss problems.  USB storage devices were tiny, drew power from the computer (no separate cord required), and had a relatively large capacity.

Companies were facing a problem to which there was no answer.  Well, they update their data and computer usage policies, but people don’t always follow these (as in the East Lothian story above).

So, IT departments hacked up a solution: they superglued the USB ports shut using pieces of wood, plastic, pennies, etc.  It’s unthinkable today due to the sheer variety of USB-based device offerings (and not just in the storage sector).  But back then, USB product offerings only included storage devices, mice, and keyboards.  And computers still had PS/2 ports.

Today, we have lots of other gadgets.  But, that’s about the only thing has changed in the equation.  People are still people doing people-ish things.  Data is still collected and worked on.  I’m not surprised that IT departments aren’t supergluing USB ports anymore, but I am surprised that there are still organizations out there that are essentially using their computer usage policies to safeguard data, instead of using the appropriate tools like automatic USB encryption.

Related Articles and Sites:

Comments (0)

Let us know what you think