In the U.S., there are certain organizations that are required to notify people if sensitive information is breached. For example, under HIPAA (essentially, regulations that govern patient privacy issues by so-called “covered entities”), the loss of laptops with PHI – personal health information – are reported to the Department of Health and Human Services. (Except when laptop encryption is used to protect the data).
When these data breaches take place, one of the most common refrains found in the breach notification letters is that “it is our [i.e., the breached organization’s] belief that the computer / hardware / laptop / etc. was stolen for the perceived valued of the physical hardware.”
I am not aware of any instance where a breach notification letter has declared otherwise, that the laptop was indeed stolen for the information that is stored in these devices.
Are they correct? Or is it just wishful thinking? Consider the following.
State Bar of Nevada Facility Broken Into
According to databreaches.net, storage facilities belonging to the State Bar of Nevada (that is, the state organization that governs the legal profession) were broken into, with the thief or thieves stealing confidential records. The haul was relegated to 18 records only, but consider the type of information that needs to be submitted to take the bar exam:
Personal information for taking the bar exam is everything imaginable: Full Name, Birthday, SSN, Address, Previous Home & Work Addresses for past 10 years, Home phone, cell phone, drivers license number, his children’s full names and birthdates, his spouse’s information, and his Military Service Record Form DD-214. Not to mention the names and contact information for personal references, and the list goes on.
Yes, it also included Credit Card Account information with Exp. and CCV code on back to pay for the Bar Exam.
At least one person had “his bank account drained,” which seems to support the above statement.
You can read more by following the links provided at the end of this post, but there is one thing that nobody is asking: how did the thief know where to break into?
The thing that doesn’t need to be asked is whether the records were the target of the burglary. It’s inherently obvious that they were; as far as I know, nothing else was stolen. People are breaking into storage facilities to steal paper documents full of sensitive information. Would you find it impossible or incomprehensible to find that people would do the same for stealing sensitive information stored on electronic devices?
People are Nosy and Will Search Your Smartphone
According to a test Symantec carried out in 2012, people will access the contents of a lost phone:
Some 43 percent of finders clicked on an app labeled “online banking.” And 53 percent clicked on a filed named “HR salaries.” A file named “saved passwords” was opened by 57 percent of finders. Social networking tools and personal e-mail were checked by 60 percent. And a folder labeled “private photos” tempted 72 percent.
Collectively, 89 percent of finders clicked on something they probably shouldn’t have.
I should also mention that only 50% of the phones used in the test were returned. What does this have to do with anything, you might ask?
Well, complete strangers who’ve literally found an electronic device lying on the ground will access it to see what kind of data can be found on it. Are we really such ingénues to believe that thieves who steal laptops wouldn’t take an hour or two to see what kind of goodies can be found stored in their newly obtained goods? Especially when free software that does the searching for credit card numbers and SSNs can be obtained freely from the internet, using the most powerful indexing and sorting portal mankind has seen, ever?
The truth is, statements such as “we believe that the thieves were after the hardware and not the information in the laptops” is merely that, a belief. It’s no more realistic, or accurate, or relevant than saying “we believe that the thieves escaped riding unicorns that opened a portal to the eleventh dimension.”
If I were the person receiving a breach notification letter, what I would want to read is “thieves stole laptops with sensitive information but you’ll be OK because we used full disk encryption to protect the data.”
Related Articles and Sites: