| Abstract: | | The Information Commissioners Office post details of organizations that have been fined for breaches of security. | | Many states in the USA demand that each cyber attack that results in data being stolen must be reported. | | Our role is to read all such security information, to analyse the failures and identify potential solutions. We do not need to have our securit compromised to learn lessons and take avoidance action. |
| Stolen Data: | | March 2012: Stolen data cost 1.5 million plus 17 million. | | In the US, the Department of Health and Human Services Office for Civil Rights has fined Tennessee-based health insurance provider BlueCross BlueShield $1.5m, after a theft in which hard drives containing health information on more than one million customers were stolen. | | According to Knoxvilles knoxnews.com, BlueCross BlueShield said the hard drives were stolen from a data-storage closet at a former call center. The 57 hard drives, stolen in 2009, included customers' names, Social Security numbers, diagnosis codes, dates of birth and health-plan identification numbers. | | The US Department of Health and Human Services Office for Civil Rights said the company 'failed to implement appropriate administrative safeguards to adequately protect information' at the facility and did not have adequate access controls. BlueCross BlueShield has agreed to a 450-day corrective action plan to address gaps in its HIPAA compliance programme. | | Since the theft, the company said that it has spent nearly $17m in its investigation, notification and protection efforts. Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement that it has 'worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times'. | | Chris McIntosh, CEO of ViaSat UK, said: 'This loss contains a painful lesson, not just for BlueCross, but for the million-plus customers whose personal data has been taken. Data should never be assumed to be safe: whether on a CD, a memory stick, a laptop or a server, it should be protected to the highest level possible to avoid punishments such as this. | | 'Organisations in the UK may well ask how this affects them, but the lessons are clear. First, while the US Office for Civil Rights clearly currently has the power to impose larger fines, the UK's ICO is still champing at the bit to take action against any organisation guilty of a similar transgression, with the financial and reputational damage that implies. | | 'Second, BlueCross has admitted to spending nearly $17m on its notification, investigation and protection efforts since the original loss. This dwarfs the federal fine and shows quite clearly that the true costs of a data breach will far exceed a simple one-off penalty.' |
| County Councils: | | Several County Councils (Hertfordshire, Surrey) have been fined for offences under the Data Protection Act becuase business systems permitted emails to be sent to the wrong person. | | Most companies that still use an obsolete email tool such as Outlook will eventually be guilty of sending business information to the wrong person. Where Directors provide staff with an email tool with an address book where it is very easy to select the wrong name from the address book will eventually be fined as it is a criminal offence to permit staff to violate the Data Protection Act - Directors and Managers are personally responsible. | | Solution: | | On-line facilities are provided that demand that a CRM contact name is selected and verified, then a standard email may be selected to be sent to that contact name where that contact name has opted-in to receive emails. It is illegal to send an email to a person who has expressly declined to receive emails or who has not provided express approval to opt-in to receive emails. | | Every standard email is approved in advance by management and the ability for a person to send free format text that may offend or be inappropriate must be eliminated from every business email. Where an attachment is made to an email, then the contents of that attachment must be fully created from stored data where the layout has been approved by management in advance. |
| Data Safe: | | Customers need the ability to sign in and access a private data safe where information can be stored that will NEVER be accessed by any other person. Using TrueCrypt in a password protected disk drive that plausibly does not exist is a service that enables private information to be kept private without exception. If the password is lost, then the data will never be able to be recovered. Audio files may be stored in the data safe, so a recording can be safely held with only the password holder able to gain access. |
| | | IMF Hacking: | | Google, IMF, Microsoft, sony and most significant companies have been successsfully hacked and sometimes by Nation sponsored criminals. | | Cyber crime is not something that happens to a few, it happens to every web service every day - it is just the layers of security to prevent everything from falling appart. | | IMF in June 2011 where hacked with Trojan software installed on a desktop that was on the same network as many valuable in-house servers - the scope of data compromised was significant. | | Solution: | | None of our web, application, database, email, FTP or any other servers have any client computers connected. Each server is optimised to do one and only one job - all other services are disabled and no software can be installed. | | By totally separating all application services from local computers, the threat of software from a local computer cannot impact on any server. We also have a policy that no software is permitted or needed to be installed on any local computer - no data or emails is permitted to be stored on any local computer (that may be lost or stolen). |
| TrueCrypt: | | TrueCrypt came of age when a government agency tried for some years to crack the encrypted hard disk of a bank theft criminal and eventually had to give up. TrueCrypt source code and encryption techniques are published as open source so if a back door existed, it would have been found, but after many years, encryption experts have to agree that it is fit for purpose. | | TrueCrypt has a novel added feature that the encrypted data could reasonable be said to not exist on a disk drive, it would be hard to a court to order the password to be provided where no evidence exists that an encrypted password protected set of data exists. The idea of using a PNG image as the hash key is truely inspirational - if the data is not created by humans then human errors are eliminated. | | The password needs to be at least 20 characters without any words that can be found in a dictionary. The FBI have tools that will rapidly try combinations of up to 6 words from a dictionary - together with the normal I and O numeric replacements. Your password needs to be very clever and must not contain any data that an agency will be able to assume may be involved - no birth dates or address data. |
|