2008:
A Year of Breaches
Samuel
Warren
City University
of Seattle
Professor
Dan Morrill
January
17, 2011
2008:
A Year of Breaches
Technology is
advancing rapidly. One of the biggest and quickest expanding areas of
technology is internet technology. As the number of individuals putting
personal information on the internet for social networking, job applications,
or online shopping increase, there is a huge resource to be mined. If the
personal information is used with the permission of the owner, it can be a huge
asset to many companies. Companies can use that information to verify the
identity of an online customer and allow individuals to apply for jobs;
however, there is a risk. Due to the augmentation of advancements, hackers, the
world over, become more educated. It is not always hackers who find a loophole,
but rather physical theft, negligence, and poor choices regarding where to
store information. Discussed below are three incidents occurring in 2008 where
the thieves did not need to work too hard. While nearly 800 incidents of data
breaches represent millions of people affected, the short and long-term impacts
of the breaches are not always clear. The University of Akron,
Her Majesty’s Ministry of Defence, and MTV Networks were three of the breaches
of 2008.
University of Akron
In
the case of the University
of Akron, the data breach
was not intentional even though security in place was lacking. A press release
on Ohio.com shares details, “… [A] portable hard drive containing personal
information is missing and may have been discarded or destroyed in December” (2008).
There are two concerns that need to be addressed in this situation. Question
one is blaringly obvious: why do none of the staff have any clue where the
portable hard drive is? Second, why was the information not on a secured
server? First, having a portable hard drive can be a convenient way to
transport information back and forth, but are not typically very secure.
The negligence of
the staff is almost as alarming as the fact that no one has any idea of the
hard drive’s location. Not only did the staff allow confidential student
information to be put onto the portable hard drive, but also they seemed to not
have grasped the weight of what they were putting on the hard drive. The
information was not simply copies of the school brochure. Instead, names,
addresses, most likely Social Security numbers, and other data pertaining to
nearly 800 students were stored. In the short-term, the students are merely
inconvenienced. They may have to call the three major credit companies and let
them know that their information has been compromised. In the long run, if the
information had been taken by someone intent on using it in a negative context,
the students could have any number of things happen to them. For example,
someone could begin opening credit cards in their names, making purchases with
the new credit cards, and making the students responsible. The worst part of
that scenario is the hundreds of hours spent on the telephone with creditors,
debt collection agencies, and the FBI trying to piece their lives back
together.
So how does one
avoid a situation like this? Firstly, do not ever put confidential information
on a non-secured storage device for any reason. If confidential information
needs to be transferred, it should be transferred via an encrypted file or
entered directly into the central data storage server. Secondly, make sure there
are appropriate security measures in place based on industry standards. Most
often, security adds only one or two steps more and affords a level of security
that will protect the students. While security may take a little longer to
implement and maintain, not to mention increased cost, it is worth the time and
money, which is far less costly than having to face lawsuits from 800 students.
Her Majesty’s Ministry of Defence
When a person joins the military of
his/her sovereign nation, he/she expects that his/her personal information is
safe. All information is given to the military offices. One would expect the
security of military to be at a higher level even on the administrative side. In
this case, a laptop with a great detail of information about 600,000 potential
recruits of the Royal Navy, Royal Marines, and the Royal Air Force was stolen
from a Royal Navy Officer. The problem in this specific case is that, like most
military branches worldwide, the amount of detail in a person’s application is
quite significant. The recruits were required to not only share their name and
address, but also passport information, National Insurance numbers, family
details, and medical records (Winnett, 2008). To worsen the situation, bank
records for 3,500 service men and women were also stored on that laptop. The
short-term impacts in this scenario are identity theft, bank account theft, and
other fraud associated with those records. Longer term effects are in the
neighborhood of loss of a retirement account, due to theft, the possibility of credit
files being compromised and negatively affected, as well as debt accrued under
a false identity. Because of the number of people affected, a few people could
cause a lot of long-term havoc by migrating from record to record. On a positive
note, the Ministry of Defence’s response indicated the level of seriousness to
this situation.
The Ministry of
Defence is treating the loss of this data with the utmost seriousness. We are
writing to some 3,500 people whose bank details were included on the database. Action
has already been taken with the assistance of APACS [Association for Payment
Clearing Services] to inform the relevant banks so that the relevant accounts
can be flagged for scrutiny against unauthorised [sic] access. (Winnett, 2008)
While the Ministry of Defence did
not claim fault, the fact that they contacted different groups on behalf of
those affected by this situation speaks to their dedication to their staff.
However, one lesson that can be learned from this situation: do not put
confidential information on a laptop. By storing confidential information on a
portable, easily accessible medium outside of the physical security of the
databases, the potential risk increases significantly.
MTV Networks
As
a company becomes popular, the attention they receive from cyber criminals can
also increase. That was the case for MTV Networks in a data breach that
occurred March 2008. Apparently, the breach occurred from an outside source
that compromised an internet connection of an employee. The company told its
employees in a memo that confidential data belonging to about 5,000 employees
was possibly accessed (Rueters, 2008). The information included names, birth
dates, Social Security numbers, and compensation information. While it is
unclear if the file was actually opened, being that it was password protected,
MTV did inform authorities and a credit monitoring company about the breach. If
the file was opened, the short-term affects could be easily identified by
fraudulent charges on the victim’s accounts. Long-term affects could be much
worse, but that remains to be seen. If the file was unopened, the attack failed
and the employees have nothing to fear. There is not very much that could be
done differently to protect the data in this case. MTV had password protected
the file. If there was more information about how the breach was actually
initiated, one might be able to make better suggestions as to a solution.
However, MTV’s response should be noted, “The company encouraged the affected
employees to place a 90-day fraud alert on their credit files with the three
major credit agencies, and offered credit monitoring for two years at company
expense” (Rueters, 2008).
These
three expressly different businesses had common ground of lost data; however,
their experiences differed greatly. While not all of them were victims of a digital
strong arm robbery, they were the victims of not only bad timing, but also lack
of information security. In each of the incidents, personal information,
including Social Security numbers, were lost. While the University of Akron
involved portable data devices, The Ministry of Defence faced physical theft, and
MTV Networks was breached from the outside, they share a common thread. Storing
information where it can be easily stolen, exposed, or accessed is a huge risk
shared by the three companies. It is always preferable to avoid putting
personal information in a position of risk. Keeping the information in a secure
location, requiring password authentication, is one of the more secure ways to store
information. Keep in mind that businesses should always seek to mitigate any
risks that are not expressly covered by industry standards for information
security. Chief information officers should always be willing to take an
aggressive protection posture when dealing with loss or theft.
References
Local
news, Latest news. (2008, January 11). Records for 800 UA students missing
[Press Release]. Retrieved January 18, 2011, from htttp://www.ohio.com/news/break_news/13709292.html
Open
Security Foundation. (2008, July 14). 2008 Yearly report. In Data loss database
(Rep.200.38). Retrieved from Open Security Foundation website: http://datalossdb.org/yearly_reports/dataloss-2008.pdf
Press
Citizen, The. (2008, January 11). UI College of Engineering notifies former
students of technology miscue [Press Release]. Retrieved January 18, 2011, from
http://attrition.org/dataloss/2008/01/uiowa01.html
Rueters.
(2008, March 8). Technology. In Breach of MTV Computer Files [Press Relesase].
Retrieved January 23, 2011, from The New York Times website:
http://www.nytimes.com/2008/03/08/technology/08data.html?_r=3&ref=business&oref=slogin&oref=slogin
Winnett,
R. (2008, January 18). UK
News. In MoD loses data of 600,000 would-be recruits [Press Release]. Retrieved
January 23, 2011, from The Telegraph website: http://www.telegraph.co.uk/news/uknews/1575900/MoD-loses-data-of-600000-would-be-recruits.html
No comments:
Post a Comment