- Published: 03 November 2011
- Written by NStinchcombe
4/11/2011 - Commenting on revelations that Rochdale council has been censured by the ICO after losing an insecure USB stick that contained the personal details of 18,000 residents, Cryptzone says that the sad fact about the case is that it could so easily have been prevented.
According to Grant Taylor, VP of the IT threat mitigation specialist, controlling data on USB sticks can easily be achieved using a combination of encryption, backed up by enforced security policies to ensure data compliance.
“Using this belt-and-braces approach means you have policy enforcement software allied with a secure USB stick environment where data has to be moved using this type of hardware. You can also allow controlled access to the data on secure remote basis,” he said.
“Taking a centralised secure silo approach to data leak prevention is actually the preferable methodology, as it's perfectly possible to have multiple storage systems across different offices, where a large number of employees require access to a constantly updated file database. But whichever security methodology is used, the important thing to realise is that these systems are now easy-to-use and transparent as far as the end user is concerned,” he added.
The Cryptzone VP went on to say that the Rochdale council data loss is quite significant as it amounts to 8.7 per cent of the 206,000 population of the city, although with just over 10,000 employees, the council clearly has a large number of staff handling a lot of data on a daily basis.
This does not excuse the loss of an insecure USB stick however - or the fact that the data was outside the control of the council's security envelope - making the incident a double breach of the council's security rules, he explained.
What I find amazing is that the USB stick was used to store the financial accounts of the council, suggesting that residents' names and addresses, along with details of payments to and by the council, says Taylor.
“The only saving grace here is that details of the resident's bank accounts were not stored on the USB stick, as otherwise you would be handing a identity theft kit on an electronic plate to cybercriminals, which, at current rates, would be worth around £12,000 on the cybercriminal carder and allied data exchange forums,” he said.
“It saddens me to hear that the investigation by the ICO found that Rochdale council's data protection practices were insufficient and that it failed to make sure that memory sticks provided to staff were encrypted. The council also reportedly failed to provide employees with proper data protection training,” he added.
“This is all about manager and user education, so it's clear that we, as an IT security industry, need to redouble our efforts on the security education front.”
For more on Cryptzone: www.cryptzone.com
For more on the data Cowboy in Rochdale USN stick saga: http://bit.ly/rH2Gat
ENDS (500 words)