Reports are breaking this morning about the theft of a laptop in New York that contained the data on over 170,000 people who have used the services of the Irish Blood Transfusion Board between July and October of 2007. The IBTS state that the data were sent to a US software development company based in New York as part of a software upgrade of the IBTS systems. The data were sent by disc and encrypted with 256 AES encryption.
It is not clear whether the data were then copied from that disc onto the laptop or whether the data remained on the disc which in turn was in the laptop. Either way the data were lost when an employee of the US software firm was mugged outside their home and the laptop taken.
While data encrypted to the 256 AES standard may be sufficient to protect the data from the average mugger, those with more technical abilities may be able to access the data. This is dependant on how data were encrypted, for example was it with the Winzip utility or a commercial encryption package? It is also dependant on how strong the password used to encrypt the data is. If it is a simple to guess password then the data can be compromised.
Although this breach could have been made public by the US software company under data breach disclosure laws in the state of New York, we should give credit to the IBTS for how they have disclosed the breach to the Irish media and public. Unlike other government bodies who only made the public aware of their breaches as a result of a parliamentary question.
There are still some questions that still need to be addressed and should be considered by all companies looking to transfer data abroad for whatever purposes;
- Why was live data used in a test environment? There are many tools available now that can anonymous data for testing purposes.
- Was this data transferred out of the Irish jurisdiction in accordance with the Data Protection Act?
- What agreements were in place to ensure the security of the data while in the possession of the US company?
- Could these arrangements be audited to ensure they were being adhered to?
- Did this employee really need to have the data at home? Did they need to have all the data or would a subset have sufficed?
- What controls were in place to ensure unencrypted copies of the data were not left unprotected? For example someone importing the data into an Excel spreadsheet?
- What arrangements were in place to securely delete the data once it was no longer required?
The upcoming ISSA Ireland meeting this Friday on “Security Breach Reporting and Impact” will have a very topical item to debate.