Encryption failing costs £150,000

Insurer Fined

Royal and Sun Alliance (RSA) has been fined £150,000 by the Information Commissioner’s Office following the loss of personal information relating to 59,592 customers.

Following the theft of a hard drive, which contained customers’ names, addresses and bank account details including account numbers and sort codes, ICO enforcement officers found that RSA did not have appropriate measures in place to protect financial information, when the theft occurred at the offices in West Sussex between 18 May and 30 July 2015, an ICO undertaking found .

The device also held credit card details of 20,000 customers, although security numbers and expiry dates were not affected.

The investigation found that the device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered. It was kept in a data server room, which required access via an access card and key, to which 40 members of RSA’s staff and contractors (some of whom were non-essential) were permitted to enter unaccompanied.

Steve Eckersley, head of enforcement at the ICO, said: “When we looked at this case we discovered an organization that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.

“There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”

Dr Bernard Parsons, co-founder and CEO of Becrypt, said that the fine should serve as a warning on how dangerous storing unencrypted data can be.

“We find data at rest – information stored in removable hard drives and portable devices such as laptops and tablets – is frequently the weak link in an organization’s security, leaving them extremely vulnerable to a serious breach in the event of a device being stolen or lost,” he added. “Alongside the threat of malicious insiders stealing portable storage devices, we have also seen cases of burglaries targeting technology in recent months.

“These kinds of data loss incidents can be prevented if all potentially sensitive and valuable information stored on portable storage devices is encrypted against unauthorized access by default. This means that, even if the worst happens and a device is stolen by an insider, the organization can be confident that the data it contains will be safe from abuse.”

Mark James, IT security specialist at ESET, said: “The fine itself may seem fairly insignificant, but that of course is not the whole story. The PR exposure, your customer hearing about your failings and of course the damage done through the act in the first place, all has a cost.

“Encryption is not new, it has a relative low cost and can be rolled out and maintained with ease, it would not have stopped the theft of the hard drive in this case, but it would have stopped the data from being accessible. Fines need to be in place, but more importantly there needs to be follow-up, if you are holding other people’s data you need to do all you can to keep it safe.”

Infosecurity 2017

Data losses on USB sticks – it’s raining again

The problem of lost USB sticks has been back in the news recently with data losses moving from laptops to the storage devices.

In January, the Information Commissioner’s Office (ICO) and the Office of the Data Protection Supervisor (ODPS) for the Isle of Man jointly criticised Praxis Care after an unencrypted memory stick was lost last year. It contained personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland.

Last week, the details of more than 1,000 school pupils were lost when a USB stick was misplaced by a member of East Lothian Council.

It was at the end of 2009 that I looked back at ‘a tricky 12 months for the USB stick’ when it was blamed for data loss and Conficker. While the problem has not been eradicated completely, it does seem to be slipping back somewhat.

I recently spoke with a new company offering what it calls the ‘Fort Knox’ of USB memory sticks: I know what you are thinking, heard it all before. Well what caught my attention was that this was less a memory stick and more a tracking device, with GPS and GSM modules to track where it is and deliver this information securely to a management console hosted securely on Fujitsu’s Global Cloud Platform.

It also features remote wipe capabilities of any data on the device, whether it’s plugged in to a USB socket or not.

Named Security Guardian, creator ExactTrak said that its inbuilt software is linked to an online monitoring platform that protects against the biggest problem with mobile data security: human error.

Managing director Norman Shaw told SC Magazine that Security Guardian is been adopted by users due to it being encryption technology-agnostic and available with either 16 or 32GB storage.

He said: “We applied intelligent elements to communicate with the device and we can turn the device on or off and delete the memory. We can know where it is geographically.
“We met with the ICO and they said that it is all very well having encryption but 50 per cent of people share passwords. One of the technologies on this is that if you share a password, you can remotely remove or turn data off. A problem is that data losses are often not reported for months; we say this can overcome the stigma of losing data by saying ‘we lost the device but we deleted the contents of it’.”

Shaw said that this is sold not as a product but as a service, and a recent partnership with Fujitsu saw its Global Cloud Platform selected to host the back-end infrastructure.

The heart of the Security Guardian solution is the management console which provides remote access to the devices and maintains a verifiable audit trail detailing when and where data was accessed. ExactTrak said it needed a partner that could host the management console while providing the utmost levels of security, scalability and availability, and it selected Fujitsu’s Global Cloud Platform as a secure portal and because it could offer “global scalability almost instantly”.

Shaw said: “Once data is on the device it is encrypted. We have Trusted Client technology from Becrypt and the cloud capability from Fujitsu and it is all dynamic data on the device, so what is on there is secure.”

In my recent conversation with Thales, it was suggested that technology should make encryption transparent, and “if you know you are using it then it has gone wrong”. I asked Shaw if he felt there was a problem with encrypted data and that people were not using it.

He said: “Some people realise the problem of encryption, so how do you prove that it was turned on? You say that a laptop was encrypted, but then it appears on eBay and it turns out that it wasn’t encrypted at all.

“With our solution you can say that the data was turned on or off on the management console with a verifiable audit trail and the ICO can say the matter is closed.”

There are solutions out there to prevent data loss and most of them offer different levels of security and capability, and what ExactTrak offers is certainly different – the capability to react after the incident.

Original article from SC Magazine  Feb 2012

Security Guardian USB stick can be tracked and remotely deleted

Using a web-based console, administrators can also apply policies to Security Guardian devices used by their staff, and locate them if required using their built-in GPS capability.

However, the GPS does not simply allow lost devices to be tracked, but also enables organisations to set location-specific policies governing their operation.

The memory can be enabled or disabled for specific geographic areas, so a hospital could configure their memory sticks to only work when they are actually on the premises,” said Shaw.

Administrators can also set a policy so that the device will automatically disable its memory if it has been unable to check in with the ExactTrak cloud service for any length of time.

In this state, the data is preserved, but cannot be accessed until the Security Guardian is able to communicate with the management service again. When the memory is disabled, it is electrically isolated from the USB interface, according to ExactTrak.

Unlike many other secure USB Flash drives, Security Guardian devices are not self-encrypting. This is because customers told ExactTrak that they wanted them to function with encryption services they were already using, such as Becrypt Trusted Client, Shaw said.

Because of the unusual nature of the Security Guardian devices, they will be sold via system integrators such as Fujitsu as part of a service package including GSM provision. Customers can expect to pay £25 to £30 per device per month.

Published in V3.co.uk  Feb 2012

Ultimate data protection with Security Guardian

Security Guardian is already recognised as the Fort Knox of USB Flash Drives due to its ability to allow data to be deleted even when not connected to a laptop or the internet.

Security Guardian data protection and information security can now be further enhanced by the complete range of Becrypt CAPS, CESG and FIPS approved encryption products. This includes a range of encryption products that cover the complete spectrum of governemnt approved security levels as well as Trusted Client.

Trusted Client is a self-contained encrypted environment that allows employees to connect to an organisation’s network and data whilst preventing data loss and leakage. This secure isolated environment provides access to a corporation’s existing VPN infrastructure as well as backend applications such as Windows desktops and Microsoft applications.

Go further and control what devices can be used to connect to your laptops. In conjunction with Becrypt’s Advanced Port Control, you can prevent any unauthorised device connection except Security Guardian. This will mean that when data is transferred to a Security Guardian you will always know where it is, thanks to the embedded GPS System. Data on Security Guardian can be remotely deleted, even when not connected to a laptop, thanks to the internal battery.

Full product details can be found on our resourse pages.