Where *nix and security meet the general public
Top 10 personal data security hickups of 2006!
It seems that at the end of the year a good review of this years “security hick-ups” should be in order.
Well, it seems this year has been one of “those” years. 
Laptop theft seemed to be on the top of the incidents list. All in all, I´d say it was a pretty bad year. A bad year in the sense of common security criteria, things that everyone talks about and learns about in courses and actually things that SHOULD be on EVERY SECURITY PROFESSIONALS checklist, have not been addressed. In fact some of these incidents are just plain terrible, and lapses of this magnitude should not be forgiven. Contractors that fail THIS bad should loose their contract without possibility of re-negotiation immediately. Nevertheless, I collected my Top 10 personal data security hickups (v. 2006.12 :))
- 10: The iBill incident
As written on wired.com a database of 17 million (that is 17 000 000…) credit card numbers with all their respective information, such as name, billing address etc. had leaked and actually RE-SOLD on the black market internet in 2005. 2005 you say? Well in 2006 another 1 million surfaced on a phishing site. Even though iBill claims that the database did not originate from them, it was THEIR database and I am still wondering how the h*ll a database of such size (4.5GB) can be swiped (downloaded) from a server without anyone noticing it. Oh yea, iBill did most if its business with the adult entertainment industry, so quite a few porn surfers MIGHT have been affected and since the company is pretty much bankrupt, nothing they can do about it. Brilliant! - 9: The Newspaper incident
It seems that in January The Boston Globe and the Worcester Telegram & Gazette actually printed and attached the credit card details of 200,000 subscribers to the newspaper bundles that they delivered. I mean getting hacked or getting data stolen is one thing but PRINTING AND ATTACHING them? WOW, what a nice thing to do! “Buy a newspaper and get credit card details for free!” or “Hey, can you find yourself in the list? Win a prize if you can, or your neighbour :)”. - 8: The Hong Kong incident
Good one: you make a complaint against the police for whatever reason, and your matter is dealt “with the utmost anonymosity and secrecy”. That is until a contractor copies your complaint information with the full details onto a publically available webserver. That is exactly what happened with 20,000 such incidents and personal records. And then you wonder why you get more speeding tickets all of a sudden?
- 7: The Japanese newspaper incident
Another newspaper leak. This time in Japan. Apparently the largest one to that date, a list of personal details of subscribers from a Japanese Newspaper leaked onto the net via P2P (file sharing). Excellent! Now you don´t have to really be in an inner circle anymore to get 66000 possibility of ID fraud, just log on to a P2P network and download from multiple sources at once. Fast, easy data delivery!
- 6: The Wells Fargo incident
Not particularly high profile in the sense that noone knows the full amount of names, yet still quite drastic. According to the report, the computer (laptop?) was shipped and contained the data on the harddrive for an undisclosed amount of customers. Data included pretty much anything, social security numbers, addresses, loan account numbers etc. They mention that the computer has 2 layers of security, but to be honest that can , in publicity speak, mean that it has a BIOS password and a Windows password. In other words both pretty much useless for a semi experienced script kiddie or even a PC hobbiest. - 5: The London Metropolitan Police incident
There is this recent report on BBC about a theft of 3 laptops containing half of the entire London Metropolitan Police Forces´ payroll information. Even though they say that ID theft risk is minimal , I hope that the contractor (LogicaCMG) gets a nice swift kickin the … simply because : WHY ARE THE RECORDS STORED ON THE LOCAL DISKS ON THE LAPTOPS? and WHY WERE THE LAPTOPS NOT ENCRYPTED? Another nice incident where the taxpaying people will bankroll an investigation for something which could have been mitigated easily. - 4: The AIG incident
Insurance giant looses close to 1 million personal records. WOW! Another laptop incident. The records were on a laptop and a server wich were stolen in a burglary in an office somewhere. Great, no alarm? No server rack? or server storage closet that is, hmm i dont know, maybe LOCKED? Not only did these records include personal information very useful to Identity thieves, but for about 5% of the people even medical notations and records. Now if I want to steal someone´s identity, this would be VERY valuable and 5% of a million is still 50,000. - 3: The NAVY incident
So the VA laptop incident happened, the disks get recovered and some 30,000 NAVY sailors personal details AND their families´are found on a website. Then they leak some 100,000 Navy aviator´details as well? Kind of like for good measure. These details not only appeared online, no, they appeared online on the Navy?s Safety Centre website. I mean WOW!!! Who on earth puts spreadsheets with that information online? Someone should write an article about the thought process of the individual! For all this, they get the 2nd runner-up place. - 2: The Hotels.com incident
Picture this: You have the personal details of 234,000 customers of Hotels.com, a website that you do contract work for, on your laptop. This machine seems to be an unencrypted standard laptop, and you STILL take that data with you. Would you leave that laptop in YOUR CAR? This happened on May 3rd. On May 31st the Ernst & Young spokesperson said that now all laptops are password protected and encrypted. Nice going, good move. However it´s too little, too late! Definately the runner-up this year. - 1: The VA Laptop
This years favorite security lapse. I think it has been discussed around the net more then Paris Hilton´s hacked phone pictures and with reason.
On May 3rd a laptop and an external harddrive was stolen from a VA anlysts´ home in Aspen Hill. It contained full details of over 26 million military veterans and former enlisted personel. Though the harddrives were later recovered, and the FBI “said” that the data was not accessed, I am asking, HOW THE HELL does an ANALYST walk home with 26 million records OFFLINE in his bag, UNENCRYPTED??? This was the largest US Government security breach and definately deserves the award of this years “TOP SECURITY LAPSE” award.
- Honorary mention: The Boeing incident!
Just a few days ago Boeing confirmed that a laptop with over 380,000 personal records of employees and retirees had been stolen. Great news, because apparently these records are complete enough to put the employees at risk for ID theft. You got to love this business!
Final words: Judging by the fact that most thefts occur off-site and the data is always on a portable device, I think that it is about time that companies take their security policies, review them and, where STILL needed, implement full disk encryption. If you handle sensitive data (anything that is not yours to decide!) your laptop should be encrypted. Better though: WORK REMOTELY WHENEVER POSSIBLE!!
//Flosse
No TagsPopularity: 6% [?]
[…] is about Laptops getting stolen with big amounts of sensitive data on them. I illustrated the 10 worst hickups of 2006 already before but they keep coming […]