Recent breaches show data theft prevention basics lacking

By Ron Condon, U.K. Bureau Chief 13 Sep 2009 | SearchSecurity.co.uk

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

The first theft involves a laptop computer stolen from an NHS training body last November. The machine, which belonged to NHS Education for Scotland (NES), was being used to test a new medical recruitment website. In order to carry out the tests, the developer had copied the records of 6,377 people who had applied for medical posts. Since the machine was never intended to leave the premises, the information was left unencrypted. Under the policy that applied at the time, it did not qualify as a 'mobile device' and therefore was not protected as such.

Lessons learned The NES case highlights the importance of these security practices:    *Encrypt personal files on any mobile or portable device ·         *Train staff to understand why security is necessary, and to follow policy *Monitor the security of testing systems and files just as you would production systems   Note: The ICO is likely to be able to impose fines by next April.

This week, the chief executive of NES, Malcolm Wright, was forced to issue a public apology and undertaking through the Information Commissioner's Office (ICO), both admitting what went wrong and pledging to employ better data theft prevention practices in the future.

In the statement, Wright said: "This incident involved the theft of a laptop, belonging to NES, from an office within NES premises at Ninewells Hospital at some time between the evening of November 28 2008 and the morning of December 1 2008. NES staff is confident that this office was locked at the close of business on November 28. A police investigation into the incident has proved inconclusive; Tayside Police does not expect any further progress."

Wright went on to explain that the laptop contained the personal data of 6,377 individuals, all held within an SQL database file. "This personal data consisted of summary descriptions of applications for medical training positions, and included information such as the names, addresses, phone numbers and General Medical Council reference numbers of the data subjects. The personal data also included equality and diversity monitoring information. This information was a superseded data set that was being used to test a development version of a medical recruitment website," he said.

The ICO took the view that the information was sensitive enough to warrant more protection, but agreed not to take further enforcement action against NES in exchange for assurances that it will tighten up its data theft prevention procedures.

The assurances are outlined in the NES's public undertaking and include a commitment to encrypt all personal data held on portable and mobile devices, as well as other portable media.

In addition, NES undertakes to ensure that "staff are aware of the data controller's policy for the storage and use of personal data and are appropriately trained on how to follow that policy."

Lessons learned The stolen database case illustrates the following: *The emergence of the insider threat *The value of classifying sensitive data and files.  *The importance of technology that prevents confidential information from being emailed out, copied on to portable media, or even sent as an attachment to an instant message. *The need to protect a company's collateral, including its domain name. *The power of the Copyright and Rights in Database Regulations 1997.

Running with the database
The second case involves the theft of customer data from a commercial database by an employee who was leaving to start his own company.

The High Court this week heard the case of Richard Braachi, who had emailed his company's customer file to his private email account before leaving to start his own conferencing company.

Braachi had worked for First Conferences between 2006 and 2008. The company claimed he took sales and contact information from its databases and used the data to organise a rival conference.

The court agreed, and found that in copying the contacts and sales information to his private email account and using them as the basis of his own business, Braachi breached article 16(1) of the Copyright and Rights in Database Regulations 1997.

The court also found that Braachi had transferred the domain name theforecaster.com from First Conferences to his new business without permission.

Tags: Data Breach Incident Management and Recovery,  Database Security Tools and Techniques,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities Database Security Tools and Techniques Multifunction security device safeguards SOA, streamlines company's infrastructure Safend expands data leakage prevention product to plug more gaps How to prevent memory dump attacks Database activity monitoring lacks security lift Report: Firms avoid encrypting backup tapes, databases Cryptography for the rest of us Unpatched vulnerability discovered in Microsoft SQL Server How to use Excel for security log data analysis SQL injection continues to trouble firms, lead to breaches Monitoring program data and internal controls for risk management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary