Well, I guess you can about monetize anything nowadays. According to a story I first encountered at databreaches.net, a Canadian man who bought used servers has alerted Ernst & Young (and the Canadian Privacy Commissioner) that he’s holding their data… and asking for compensation. Only if the data had been protected with something like AlertBoot’s managed encryption solution…
The situation seems to go as far back 2006, when the used computer dealer, Mark Morris, bought a number of Dell servers from Synergy Partners. This firm was acquired by E&Y in 2003. Once Morris saw that the servers contained sensitive data he could access, he contacted E&Y. He supposedly asked for $50,000 to begin deleting the data “from where he has stored it, though not on the primary server.”
I have no idea what this means, but it almost sounds like Morris had made backup copies, and was offering to delete this for a cool $50K. Bids were made for the information (again, supposedly) for $1.2 million. When you consider that personal information, no matter how sensitive, goes for less than $500 – and often for $10 or less – at least 2,400 people’s data appears to be on the server.
E&Y, for their part, note that they do the utmost to protect sensitive data. They have questioned whether the so-called servers with data are under Morris’s power. Indeed, via a deal they’ve reached with Morris, E&Y will be paying the latter $1,500/day to start going through the data. Not bad for an initial down payment of $300…and 8 years.
According to Morris, E&Y said that, “if the data exists on the server, then it was by mistake”. Well, of course it was. What kind of company would go around doing it (or saying that they did it) on purpose?
The point is there are many ways that one can ensure such a mistake doesn’t happen. For example, any company the size of E&Y (and in a knowledge-based sector) has policies for disposing of electronic equipment that once held data. Policies vary by company, but a common procedure is to take possession of the old equipment; delete the data in a secure manner; and then dispose of the equipment, which includes its physical destruction.
Backups to contingencies can be incorporated at every stage. For example, (1) use encryption, (2) delete data, and (3) destroy the hard drives when retiring the equipment. One of these will suppress a data breach if any two fail: assuming the encryption was not installed properly (which opens up a can of worms in its own right) and that the data deletion did not take place, the data destruction phase will take care of business, and so on and so forth.
Of course, this doesn’t means that the risk of a data breach has been eliminated: in the world of risk, systematic risks will always remain. However, these pertain to situations that are outside of one’s control, such as someone pointing a gun to an employee and demanding his laptop computer, or finding out that your IT director has been stealing equipment.
For a server that was sold off, you just can’t have a good excuse for a data breach. Likewise for any old equipment that was sold off, including laptops, external hard drives, and soon enough, smartphones and tablet computers.
Related Articles and Sites: