The following data breach harkens back to the days of old when hackers from China, Russia, North Korea, or whatever country you can think of, were not involved in a data breach. I wish I could say it’s a breath of fresh air but, honestly, I’d prefer that such data breaches don’t take place.
According to cbs6albany.com and other sources, Pioneer Bank has started contacting clients about an employee laptop’s theft and resulting data breach. Was the laptop protected with the likes of AlertBoot’s cloud managed disk encryption that was designed for instances exactly like this one?
It seems dubious…but the bank’s notification letter notes that “secured personal information” (my emphasis) was on the laptop, and Albany is in New York (where breach notification laws do not extend safe harbor to encrypted data), so who’s to say?
Love and marriage. Horse and carriage. Peanut butter and jelly. And now, cars and laptop thefts. These are all things that, apparently, go together. In the past ten years that I’ve researched data breach instances, none has been more prevalent in headlines than a variation of “the laptop was stolen from a car.” Small details change here and there (car was parked in front of the house, outside a conference venue, at a hotel; the door was locked, it was unlocked; the laptop was in the trunk, in the front seat, in the back seat, beneath the seat, etc.) but it’s essentially the same story over and over.
The result of the latest mishap is not quantifiable by the public since Pioneer Bank is not releasing the numbers. However, they did let the media know that “secured personal information of certain customers, including names, social security numbers, street addresses, and account and debit card numbers.” (timesunion.com)
The word “secured” in the above is ambiguous: does it mean that proper encryption software was used to secure the data? Or is it a reference to the use of password protection, which is worth less as a security tool than the name implies?
Accusations that one is trying to read more into it than there is fall flat when one considers that the bank took one month to get in touch with clients: it means the bank’s lawyers had about one month to craft the message, and you can bet that the word “secure” was chosen for a reason. If encryption had been used to protect the data, the word encryption would have been used in the notification: the media and its consumers are now pretty savvy when it comes to data breaches, and the loss or theft of encrypted data tends to dampen any indignation.
And assuaging anger is actually worth it: if you visit this Facebook page, you’ll see that there’s already a number of people who are extremely displeased by how the breach notification and other things were handled.
Related Articles and Sites: