There are reports out of Kentucky that a computer being used at the Louisville Hall of Justice has been stolen. The notable thing about this story, however, is that the computer was eventually recovered. Even more notable: the recovered computer was missing its hard drive. This small fact can be interpreted in many ways, but with the daily stories of stolen data being sold and traded on the internet, it’s difficult not to conclude that the contents of the missing storage device have or will find their way to the dark net.
The stolen hard drive is presumed to have sensitive, personal information for “less than 175 individuals,” the number of people contacted to alert them of the data breach. The personal information could include Social Security numbers, bank account numbers, and drivers’ license numbers that were included in the emails of the two Assistant County Attorneys that used the computer.
Will you stop and think what is being implied here, security-wise? Kentucky passed a breach notification law in 2014. It provides safe harbor if the sensitive information is encrypted or if it’s believed that nothing will come out of the data breach.
The absence of the hard drive negates the latter condition. The fact that people are being alerted means that the former condition has not been satisfied, either.
But, remember, the sensitive data was stored in emails. So, not only was the computer not encrypted but neither were the emails. The implication, then, is that the two attorneys were shooting (or perhaps only receiving?) personal information around the internet without having it encrypted first.
That’s not good. When sending and receiving information from the internet, chances are that somebody, somewhere can intercept that data. ISPs have to do it, of course, because they’re in the business of forwarding emails to the correct inbox.
But criminals, too, can intercept emails by hacking strategic servers to either retain emails or to read an email’s contents for specific patterns before it’s sent on. So that’s a digital info security no-no.
Also, it was revealed that the computer was stolen from a publicly accessible conference room.
Terrible, security-wise. The only way a non-encrypted computer with sensitive information should be allowed to remain in a publicly accessible conference room of a Hall of Justice is if the Hall of Justice is this one:
At least then you’ve some super-duper friends to stop any shenanigans.
Related Articles and Sites: