(re) blog: dialogue with Redemtech

A couple of weeks before the holiday season got into full swing, my wife and I found a gift for my sister that we’d been seeking a long time. It seemed a bit pricey for a household appliance, but it was something we knew she’d use, so we got it for her for Christmas.

A week later my wife was walking through another department store and found the same item for half the price, so we bought it again with the intent to take the first, more expensive version back to the store for a refund. That entailed finding the receipt, and although we are well-organized in such financial matters, we could not find that elusive piece of paper in the house.

The only alternative was to search through the two plastic bags of trash we’d accumulated for the two-week period, assuming the receipt had been thrown away. Despite the fact that my family strives to keep our carbon footprint as small as possible, around Thanksgiving we had accumulated a lot of garbage. So I found myself meticulously searching through turkey bones and banana peels, paper shreddings and all of the other things that cannot be recycled, for a tiny receipt.

It was a terrible, smelly chore carried out on the cold garage floor, but finally I located the receipt among coffee grounds and orange peels. The matter, however, reminded me of how many stinky off-network data security stories I’d dug out of the news this year. Every story of a lost laptop and stolen data storage device containing personal and business information appeared before my eyes, not like dancing sugar-plums of the holiday season, but as reminders of how far business and industry needs to go before true off-network data security can be achieved.

So I’ve assembled a list that you don’t have to check twice to determine which organizations were naughty, or simply lacking in data security, this year. Below is a round-up of some of the most newsworthy data breaches reported by the industry and mainstream news media in 2009.

January
• The year began with a warning that lost or stolen laptops and other removable electronic devices were named as the cause for more than 35% of all reported data security incidents in 2008, according to the nonprofit Identity Theft Resource Center, which reported that personal records of at least 35.7 million Americans were exposed in 656 breaches reported the previous year. The number of data breaches in 2008 was up almost 50% from 446 in 2007, with nearly 37% of the breaches taking place at businesses.
• Consultancy firm KPMG predicted that the number of people affected by data losses worldwide could more than double in 2009.
• Ninety-two percent of U.S. IT security practitioners reported that someone in their organization had a laptop lost or stolen and 71% report that it resulted in a data breach, according to a Ponemon Institute study on the use of encryption on laptops.
• A data breach disclosed late in the month by Heartland Payment Systems was expected to displace TJX Companies' 2007 breach in the record books as the largest ever involving payment data with potentially more than 100 million cards being compromised. Although not an off-network data breach, this incident demonstrated that any organization that fails to protect its data effectively provides an easy target for data theft and must grapple with considerable damage to financial stability and business reputation.
• The U.S. Department of Veterans Affairs agreed to pay $20 million to current and former military personnel to settle a class action lawsuit related to a stolen laptop computer containing personal data on 26.5 million active duty troops and veterans.
• A New Zealand man who purchased a used iPod from an Oklahoma thrift outlet discovered the device contained 60 pages of U.S. military data, including personally identifying information on soldiers who served in Iraq and Afghanistan, equipment deployment lists and mission information.
• In the first of many UK incidents this year, the Abertawe Bro Morgannwg University NHS Trust in Wales reported an unencrypted laptop computer containing personal information on 5,000 patients was stolen from Singleton Hospital in Swansea.
• A computer tape containing medical records of more than 8,000 patients in County Londonderry in the UK was reported missing after a courier company collected the cartridge but failed to deliver it to another location.
• A Ponemon Institute study found the total cost of coping with consequences of a data breach incident rose to $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006. The cost per compromised record in 2008 rose 2.5% over 2007 to $202 per record, according to the study.

February
• A computer forensics firm said that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive information, including corporate financial data.
• The UK Information Commissioner's Office took action against a London hospital where two laptop computers were stolen containing unencrypted details of patients.
• In an example of how businesses can be negatively impacted by an off-network data security breach, coffee retailer Starbucks was sued for an October 2008 data breach involving 97,000 Starbucks employees whose names, addresses and Social Security numbers were on a stolen laptop computer.
• Glan Clwyd hospital in the UK lost 100 unencrypted computer disks containing personal information about patients of the North Wales NHS Trust.

March
• A computer hard drive containing personal information on more than 200,000 visitors to Jackson Memorial Hospital in Miami, Fla., was reported stolen from the hospital's data center.
• A laptop computer was reported stolen from an employee of DeZonia Group, a company that manages billing for Chicago Fire Department ambulances, impacting the identities of more than 63,000 people who had been transported by city ambulances.
• The U.S. Department of Energy's Office of Health, Safety and Security reported a computer disk containing personal information for more than 59,000 current and former Idaho National Laboratory employees, including names, birthdates and Social Security numbers, was lost in transit.
• The Federal Emergency Management Agency warned that a laptop computer with personal information on Indiana flood victims was stolen from a housing inspector's car.
• A computer stolen from the University of Toledo contained personal information for about 24,000 students and 450 faculty members.
• Camden Primary Care Trust, a health care service provider for the London borough, lost computers containing 2,500 medical records, including patients' names, addresses and diagnoses.
• University of West Georgia officials notified nearly 1,300 students and faculty members that their personal information was on a laptop stolen from a professor.
• A laptop computer stolen at the Palo Alto Medical Foundation's Santa Cruz, Calif., office contained personal and medical information of 1,000 Santa Cruz County patients.
• Administrators at Pacific University in Forest Grove, Ore., reported a university-owned laptop that contained names and personal information of an unknown number of people was stolen from a staff member's home.
• A survey revealed that 52% of security professionals said they were most concerned about internal security risks and 35% cited an insider-related mishap such as the loss or theft of a laptop or portable storage device.

April
• A laptop computer containing unencrypted personal information on about 1 million Oklahomans was reported stolen from an employee of the Oklahoma Department of Human Services (DHS). A DHS spokesperson said the computer contained names, Social Security numbers and birth dates for people served by the agency, including those using such programs as child care assistance, food stamps, disability coverage and Medicaid.
• A laptop computer belonging to the Oklahoma Housing Finance Agency and containing personal information, including Social Security numbers and tax identification numbers, of about 225,000 Oklahomans was stolen from an agency employee’s home.
• A computer containing personal information such as names, birth dates and special educational needs of 33,000 children was stolen from Wigan Borough Council in the UK.
• Moses Cone Health System in Greensboro, N.C., said a laptop computer containing unencrypted confidential information, including medical procedures, regarding 14,380 patients, as well as Social Security numbers for about 6,000 people, was stolen from a hospital vendor.
• An employee of the Oklahoma Employment Security Commission lost an unprotected flash drive containing payroll and other personal information, including Social Security numbers, on more than 5,500 people.
• FairPoint Communications officials said an employee lost a portable data-storage device containing personal information such as names, addresses, birthdates and Social Security numbers on about 4,400 current and former employees.
• Marian Medical Center in Santa Maria, Calif., reported that a handheld device containing information on about 3,200 patients was stolen from the hospital.
• An employee of Bradford Teaching Hospitals NHS Foundation Trust in the UK lost a USB memory stick that had confidential records of thousands of healthcare patients.
• A laptop computer containing personal details of nearly 1,400 hospital patients was stolen from Aberdeen Royal Infirmary in Scotland.
• A computer hard drive containing unencrypted details about British Special Air Service training operations was lost and the UK government launched a top-level investigation after the equipment went missing during a military exercise.
• The Ponemon Institute released a study that found that, on average, lost or stolen laptops cost corporate owners $49,246 apiece. The cost of a data breach was found to be the most expensive aspect of losing a company laptop, taking up roughly 80% of the total average cost to a company.

May
• An external hard drive that's believed to contain nearly 1TB of sensitive data from the Clinton Administration was reported missing from the U.S. National Archives and Recording Administration. The information on the missing drive included more than 100,000 Social Security numbers and home addresses of people who visited or worked at the White House.
• A laptop computer containing unencrypted personal data of 109,000 UK Pensions Trust members was stolen from the offices of NorthgateArinso, suppliers of the Pensions Trust's computerized pensions administration system.
• U.S. missile defense plans, security logs from the German Embassy in Paris and account numbers of a U.S. bank’s proposals for a $50 billion currency exchange through Spain were found among 300 secondhand hard drives purchased by the University of Glamorgan in a study to determine the types of residual data that may be recovered from discarded computer hardware.
• A laptop computer stolen in New York City from the United Food and Commercial Workers union included insurance numbers and other information about 28,000 Canadians.
• As many as U.S. Department of the Interior 14,000 laptop computers, most of them unencrypted, could be missing, potentially exposing sensitive and personally identifiable information, the department's inspector general reported.
• The UK National Health Service’s Department of Health confirmed that 140 security breaches were reported within the health service between January and April, including lost computers and disks containing medical records on tens of thousands of people.
• Two laptop computers containing personal information and medical data on more than 10,000 people were stolen from a pair of UK hospitals within the Salford Royal NHS Foundation Trust in the UK.
• Three laptop computers containing confidential information about 2,000 healthcare patients were stolen in separate incidents at the West Hertfordshire Hospitals NHS Trust in the UK.

June
Two laptop computers containing health information such as names, birth dates, personal health numbers and lab test results for about 250,000 patients were stolen in a burglary from the University of Alberta Hospital.
• Irish energy provider Bord Gáis reported that a laptop computer with unencrypted account details, including bank records, of 75,000 customers was one of four portable devices stolen from its offices in Dublin.
• A computer containing files with names and Social Security numbers of about 45,000 Cornell University students, current and former staff, and dependents was stolen from a university employee.
• A desktop computer with personal identifying information of nearly 40,000 current and former students was stolen from Virginia Commonwealth University.  University officials said the computer may have contained student names, Social Security numbers and test scores of 17,214 people dating to 2005.
• Technicians in a computer repair shop found the names and Social Security numbers of 6,000 current and former Sutter Health workers on an old laptop computer that had been brought in for repair.
• A flash drive containing names, addresses and Social Security numbers of about 3,000 people employed by six large Florida corporations was reported stolen from the car of a Florida Department of Revenue employee in Georgia.
• Fifty-two missing computers that may contain sensitive information were highlighted in reports released by Illinois auditors investigating several cases of state government mismanagement.
• A mobile data device belonging to Kirkwood Community College and containing Social Security numbers on 1,600 people reportedly was reported stolen from an employment office in Iowa City, Iowa.
• A team of journalists investigating the global e-waste business unearthed a computer hard drive in a Ghana market containing unencrypted sensitive documents belonging to U.S. government contractor Northrop Grumman.
• Laptop computers from a civil service human resources office in Belfast that contained personal financial details of staff members were stolen in a break-in, officials at the Northern Ireland Department of Finance and Personnel offices said.
• Fifteen computers containing unencrypted data were stolen from the Blackburn with Darwen Borough Council in the UK.
• New research from the Ponemon Institute found that most employees admit to serious non-compliant workplace behaviors that put their companies at risk, including the insecure use of USB memory sticks.

July
• U.S. State Department inspectors found that 27 agency laptop computers were missing out of a sample of 334 laptops from four department bureaus, according to a report by the department's inspector general, which determined that the State Department does not have an accurate accounting of its laptop computers, including equipment used for classified work, and has failed to encrypt machines to protect sensitive information.
• Officials of Canyons School District in Utah say they were investigating the disappearance of a USB flash drive that likely contained personal information, including names, addresses, birth dates and Social Security numbers, of more than 6,000 current and former employees.
• The Francis Howell School District in St. Louis warned that a laptop computer containing names and Social Security numbers for 1,700 non-certified employees was stolen.
• Highland Council, a local government in the Scottish Highlands, reported the theft of two unencrypted laptop computers containing personal details, including medical information, of 1,400 people.
• A Ponemon Institute study found that 85% of businesses surveyed about encryption say they have experienced a data breach during the past year, up from 60% in a 2008 study.

August
• A military contractor’s laptop containing personal data on about 131,000 U.S. Army National Guard soldiers was reported stolen.
• Japanese credit card company Mitsubishi UFJ Nicos Co. said an internal investigation found that the company may have mistakenly discarded key information on 197,000 customers that was stored in a recording medium.
• UK-based Repair Management Services, a trade association representing car repair companies, reportedly lost a laptop computer containing unencrypted personal data on 37,000 people and information on 1,900 driving convictions.
• The Weber County Sheriff's Office in Utah reported a missing laptop computer belonging to a loan officer for Sun Valley Mortgage that contains sensitive and personal information of 600 homeowners in the state.
• A laptop containing personal and compensation information for more than 4,400 current and former employees was reported stolen from Williams Cos. Inc., an Oklahoma natural gas producer and distributor.
• A New York Life Insurance Company agent's laptop containing unencrypted private information of New Hampshire customers reportedly was stolen from a car in July.
• A computer tape containing personal information, including names, addresses and Social Security numbers, for an unspecified number of Chase Bank customers reportedly was lost, bank officials stated.
• Twelve laptops and two desktop computers were stolen from the California State University, Los Angeles, Minority Opportunities in Research program, impacting hundreds of students and faculty.

September
• A laptop computer containing unencrypted personal information relating to about 43,000 school children and young people was stolen from the Wigan Council in the UK.
• A laptop computer containing a registry of 38,000 U.S. Naval Hospital Pensacola pharmacy service customers' names, Social Security numbers and birth dates reportedly went missing.
• Three laptop computers containing the private and medical details of more than 7,000 Birmingham National Health Service patients in the UK reportedly were stolen from surgical firm Trulife.
• An unencrypted laptop computer containing personal information of 6,377 applicants for medical training positions was reportedly stolen from NHS Education for Scotland.
• The UK Ministry of Justice lost personal information on more than 2,000 people in data breaches, including the loss of an unencrypted memory stick containing personal details of employees.
• A laptop computer was stolen from the St. James Institute of Oncology in the UK that contained vital research into new cancer treatments.

October
• The inspector general of the National Archives and Records Administration is investigating a potential data breach of tens of millions of records about U.S. military veterans, after the agency sent a defective hard drive back to a vendor for repair and recycling without first destroying the data.
• A file containing identifying information for every physician in the U.S. contracted with a Blue Cross and Blue Shield-affiliated insurance plan on a laptop computer stolen from an employee included the names, addresses, tax identification numbers and national provider identifier numbers for about 850,000 doctors.
• A flash drive containing personal information, including names, Social Security numbers and demographic data for more than 103,000 former adult education students in Virginia reportedly was lost, Virginia Department of Education officials reported.
• The UK Secretary of State for Environment, Food and Rural Affairs said the nation’s Rural Payments Agency (RPA) said it had been unable since May to locate two computer back-up tapes containing bank data, addresses, passwords and security questions for more than 100,000 farmers.
• Zurich Insurance, the UK subsidiary of the Swiss insurer, said it lost a tape containing confidential personal details of 550,000 South African, 51,000 British and 40,000 Botswana customers.
• Several disks containing unencrypted personally identifiable data on about 68,000 members of CalOptima, a Medicaid managed healthcare plan in California, was reported missing by a vendor.
• Halifax Health in Florida confirmed that a laptop computer containing billing information for 33,000 patients was stolen from a hospital employee’s car.
• A portable computer storage device containing patient names, Social Security numbers and other personal information about 1,700 former patients dating back to the 1980s was reported missing from Pitt County Memorial Hospital in Greenville, N.C.
• A data storage device containing the names and Social Security numbers of nearly 11,000 people reportedly was stolen from a Roane State Community College employee's car.

November
• A portable, external hard drive with seven years of personal and medical information for about 1.5 million customers of insurance company Health Net was reported lost six months earlier. The hard drive contained unencrypted files with Social Security numbers as well as medical records and health information dating to 2002 for current and former customers in Connecticut, New York, New Jersey and Arizona.
• The U.S. Army Corps of Engineers began an investigation into the loss of an external hard drive that contained personal data, such as names and Social Security numbers, of as many as 60,000 current and former soldiers and civilian employees.
• The UK Information Commissioner's Office reported 434 organizations suffered data security breaches during the past year, up from 277 the year before. More than 200 hospitals and 200 companies reported breaches of the Data Protection Act in that period.
• Eighty computers were stolen from the UK Ministry of Defence (MoD) and 34 have been lost by staff since January, government officials said, noting that as many as nine desktop computers and 42 USB memory sticks were missing.
• A data storage device belonging to Roane State Community College in Harriman, Tenn., and containing names and Social Security numbers of 10,941 people, was stolen.
• A laptop computer reported stolen from Aurora St. Luke's Medical Center in Milwaukee, Wis., contained names, Social Security numbers, birth dates, diagnosis codes, medical record numbers and other personal information on about 6,400 patients.
• A laptop computer containing personal information, including Social Security numbers, of about 600 current and former students was reported stolen at Bloomsburg University of Pennsylvania.

December
• The U.S. Army reported a laptop computer containing names and other personally identifiable information for more than 42,000 people was stolen from a Family and Morale, Welfare and Recreation Command employee at Fort Belvoir in Virginia .
• Personal medical information of an estimated 10,000 people was compromised by two security breaches, Detroit city officials said, including the theft of a flash drive and a desktop computer.
• A Children's Hospital of Philadelphia laptop computer containing Social Security numbers and other personal information for about 1,000 people reportedly was stolen from an employee’s car.

Conclusion
 There are many interesting details to note in this dubious line-up of data security breaches, including how many health care, government and education organizations are represented. Even more significant is how few business enterprises show up on the list. This may be a clear indication of what many in the data security industry realize and fear – that most businesses suffering a significant data security breach do not publicly acknowledge incidents as they occur.