NHS: Data Loss

October 1, 2008 — 585

According to a recent report the NHS data losses reported are just a fraction of the real issue.

It is now reported that “Four out of Five NHS trusts have lost patient data or suffered a data security breach since the beginning of last year.

There have been more than NHS 1300 data loss incidents since Jan 2007.Source

Virtually all of these data losses could be stopped , even if USB drives are being used.

What is far more concerning is if this: If millions of records are being lost, how many are being stolen

Tags: , ,
Posted in Data Loss. Tags: . No Comments »

Charge Over Lost Data

September 29, 2008 — 585

The government officer who left the “Terror” Document on a train is be charged under the official secrets act, and not section 55 of the data protection act.

The individual has been charged under Section 8.1 of the Official Secrets Act.

Interestingly the BBC article on the issue states that the individual responsible, who can not be named, “was informed of the decision on Monday morning and was moved from his home to an undisclosed location.”

The systems are in place that allow for this massive failure, holding one man responsible for the entire government systems endemic failure hardly seems fair.

Tags: , ,
Posted in Data Loss, Data Misuse. Tags: , . No Comments »

Police Lose Data

September 17, 2008 — 585

Sigh…………..

A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty.
West Midlands Police would not confirm or deny reports that the data stick contained information on terrorism.

BBC NEWS | England | West Midlands | Police admit to lost data blunder.

 

Posted in Data Loss. Tags: . No Comments »

We know what is lost, but how much is stolen?

September 17, 2008 — 585

There are numerous reports of “data loss” by the government, almost one every month, whether its the NHS, the MoD, or the  Home Office, no government department is free from these failures.

But this is known losses, but how much is stolen without the governments knowledge?

The key thing to remember about data is that if you “steal it” nothing is missing, its not like taking jewels. So unless there are technical solutions in place to monitor and/or stop this, there is no way of knowing if data has been stolen or not. We know that the UK Government do not have these systems in place, therefore data theft almost certainly must occur.

So how much is stolen? Well the government would like us to believe the data is highly protected and only accessed by highly competent people, but we know that the “Data Guardians” are anything but that.

While we can not say how much data is stolen, we can use some very relevant statistics to try and predict this.

The Identity Theft Centre reported in their 2007/2008 report that loss/thefts have the following break down:

  • 12.9% hacking
  • 15.6% theft by company employees
  • 21% lost laptops and other digital media
  • 14%, accident publishing
  • 11% due to subcontractors

I.e the amount of theft by employees is about 70% the size of the data loss. Therefore for every 10 records lost by government failings 7 will be stolen (mainly due to unprotected systems).

To put this in perspective 37 million records were reported lost in the UK in 2007, therefore we would estimate that round 25 million records to have been stolen.

This means that 25 million records could have been deliberately stolen, mainly from the government, for the purposes of crime.

While this figure is high its not unreasonable.

91% of senior technical staff (CTO’s) believe that cyber crime is a major problem for their company, and the government has invented new powers and laws to try and crack down on the trade in data.

We know it occurs in theory and in practice, and market and government agree. So what are the government doing to stop this?

Nothing.

Tags: ,
Posted in Data Loss, Data Theft. Tags: , , . No Comments »

Data Theft Statistics

September 13, 2008 — 585
  • 91.1 % of IT security proffesionals stated that they percieved cyber crime as a major business risk
  • 95% of IT security proffesionals in the financial sector percieved cyber crime as a major business risk
  • 73% of CIO/CSO’s stated they there were concerned about data theft than hacking.
  • 68% of CIO/CSOs stated that critical data was at risk
  • 25% of CIO/CSOs stated that there had been a breach of their data
  • 42% did not know if there has been a breach
  • Source

Those who have had their data stolen deliberately, e.g by theft from an employee with access to the data, are 12 times more likely to be victims of fraud than those who have their data lost by accident (e.g missing laptop) Source

More than 244 million pieces of data have been lost or stolen (at the time of writing) according to Privacy Rights Clearinghouse.

According to the Identify Theft Centre there have been 449 incidents of data breaches so far this year (in the US). This is more than the whole of last year.

In over 40% of the incidents of data breaches/data theft the number of records lost/exposes is not reported or fully dislclosed. I.e all the figures are a lot higher. Source (ITC) ITC 2008 Report

The categorization of breaches by industry verticle was:

  • 37% for Business
  • 20.3% for Educational
  • 15.6% for Medical/Healthcare
  • 15.4% for Government/Military
  • 11.6% for “Banking/Finance

Causes of data theft/loss were catergorised as follows:

  • 12.9% hacking
  • 15.6% theft by company employees
  • 21% lost laptops and other digital media
  • 14%, accident publishing
  • 11% due to subcontractors

Source

 

 

 

 

Tags: ,
Posted in Data Loss, Data Theft. Tags: , . No Comments »

Germany to tighten laws after data theft scandal

September 9, 2008 — 585

BERLIN — Germany is to tighten data protection laws, Interior Minister Wolfgang Schaeuble said on Thursday, responding to revelations that Germans’ personal data can be bought easily on the Internet.

Mr. Schaeuble said a working group would draw up proposals on higher fines for data protection violations and tighter rules on the trade with personal and financial information.

“There will be no quick shots but speedy consultations to get the law proposal ready before the end of the year,” Mr. Schaeuble told a news conference after meeting Germany’s justice, economy and consumer protection ministers on the issue.

Germany’s latest privacy scandal was triggered by reports that a call centre employee alerted authorities to a problem with his company’s data collection practices by handing over data on some 17,000 addresses and bank account details to a privacy protection office.

Privacy officials have also said they had been able to buy millions of items of personal data, including bank and phone data, undercover on the Internet.

globeandmail.com: Germany to tighten laws after data theft scandal.

Posted in Data Loss, Data Misuse. Tags: , , , . No Comments »

Certegy Settles Consumer Data Theft Lawsuits

September 9, 2008 — 585

TAMPA – A federal judge has approved a settlement in two class-action lawsuits filed against a St. Petersburg check authorizing company that had more than 8.4 million consumer records stolen and sold to direct marketers.

The settlement provides for a range of credit monitoring services and reimbursement of expenses for those whose identity was stolen. The company, Certegy Check Services, also is reimbursing more than $2 million in legal expenses to the law firms involved in the cases.

William G. Sullivan, a former analyst for Certegy, was sentenced in July to four years and nine months in federal prison for stealing the records. A judge also ordered Sullivan to pay $3.2 million in restitution to Certegy.

A federal prosecutor said at the sentencing hearing that Certegy had to spend $3.2 million to notify the 5.9 million customers whose private financial information was stolen. The victims were in all 50 states, the District of Columbia, the Virgin Islands, Puerto Rico and overseas. Some customers had data stolen that was not deemed to be private financial information.

The class covered by the settlement includes anyone in the United States and Puerto Rico whose credit card, debit card, checking or demand deposit account numbers or other information was included in multiple databases. It excludes anyone who decided to opt out of the settlement after being notified it was pending.

Under the settlement, Certegy is required to pay $2.35 million in attorney fees, costs and expenses. Two representative plaintiffs, Linda Beringer and Dana M. Lockwood, were awarded $500 each. Other named plaintiffs were awarded $250 each.

Certegy Settles Consumer Data Theft Lawsuits.

Tags:
Posted in Data Loss, Data Misuse, US Law. Tags: , , . No Comments »

4 Caught for GS Caltex Data Theft

September 8, 2008 — 585

Police detained two employees of a subcontractor of GS Caltex and two of their friends, Sunday, for the alleged theft of personal information of more than 11 million customers of the oil refiner.

The four planned to sell the information to the highest bidder, according to police.

The personal information of the 11.19 million customers included resident registration numbers, home and company addresses, and phone numbers, in what is the country’s largest-ever data theft case.

One of the subcontractor workers, Jeong, 28, was one of the 12 people authorized to access the database and is suspected of stealing the information between July and August. He asked another worker to make a simplified chart of the customer information and record it in Microsoft Excel files on compact discs (CDs), according to the police.

Afterward, two accomplices attempted to spread news of the theft, by pretending they found the CDs by chance; one of them contacted a newspaper company and said he had picked up the CDs at a garbage dump in a leisure district in southern, Seoul. Police will seek arrest warrants for three of the four.

“They tried to make the `leak’ a social issue by reporting it to the media, as they would be able to sell the information later for a high price if the media reported that the CDs included the personal information of many customers, including high-profile figures,” a police officer at the National Police Agency said.

Police, however, have found some inconsistencies in the testimony of the four and are continuing to question them over details of the crime, and are looking for other possible accomplices.

4 Caught for GS Caltex Data Theft.

Posted in Data Loss, Data Misuse. Tags: . No Comments »

Data Loss: Ministry of Justice 5,000 records

September 7, 2008 — 585

The government has admitted, yet again, losing a hard drive containing details of thousands  of employees of the Ministry of Justice.

This is not the first time the government has lost MoJ data, previously losing 4 CDs of un encrypted data. The home office, which is very closely related to the MoJ, very recently lost 84,000 details on a USB drive.

The same question keeps being asked, and not answered:

Why will the government not protect the data with encryption? If a person was the victim of identity theft, or other personal or financial loss, there could be a very good case against the government; and if necessary through the court of human rights. On 17th July 2008, the ECHR found against Finland when one of its citizens brought a case against Finland for failing to protect her data.

The millions of people who have had their data lost in the past couple of years by the UK government have a far stronger case than that brought against Finland.

For any politicians reading this, the solution is incredibly simple and free:

Encrypt the data.

That’s it, its simple and free! Yes free, i.e there is no reason the government can no use high level encryption, to protect your data, for free. If you don’t trust staff to encrypt files, then you can buy software to enforce it.

Interestingly, EDS, the company who lost the data previously produced advice on how companies can reduce data loss. They state that:

The encryption of all data that is moved offsite is crucial, but should be mandatory for portable end-user devices such as laptops and PDAs, as well as all removable media.”

The irony!

Tags:
Posted in Data Loss. Tags: , , . No Comments »

BBC NEWS | UK | Data on 5,000 justice staff lost

September 7, 2008 — 585

Jack Straw has ordered an inquiry into the loss of a computer hard drive containing the details of up to 5,000 employees of the justice system.
The justice secretary is also trying to establish why he was not told of the blunder, which happened in July 2007.
The details, of employees of the National Offender Management Service in England and Wales, including prison staff, were lost by private firm EDS.
Justice Minister David Hanson said he was “very angry” at the loss.
‘Deeply regret’
“I await the enquiry to see the details of the information, but my assessment is that the confidentiality and the security of staff will

BBC NEWS | UK | Data on 5,000 justice staff lost.

 

EDS, the company who lost the data, is a HP Company and previously produced advice on how companies can reduce data loss. They state that:

The encryption of all data that is moved offsite is crucial, but should be mandatory for portable end-user devices such as laptops and PDAs, as well as all removable media.”

The irony!

Tags:
Posted in Data Loss. Tags: , . No Comments »
« Older posts
Newer posts »