A UK local council has lost the personal details of hundreds of residents when a memory stick fell out of an employee’s pocket. Details lost include names, addresses, national insurance numbers, ethnicity and more.
Read More »

The police force in England’s second-largest city, the Greater Manchester Police (GMP), has suffered extensive disruption for several days following an infection by the Conficker worm.
Read More »

It’s been reported today that the UK security service, MI5 has accused China of bugging and initiating acts of espionage on UK business executives, to obtain sensitive commercial secrets.

The story, from a leaked MI5 document says that undercover intelligence officers from China’s People’s Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of “gifts”. The gifts — such as USB memory sticks and other digital media — have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users’ computers.

This is yet another example of the use of innocuous-looking devices in an attempt to harvest sensitive or confidential data. The best advice to protect your PC and corporate networks is to use only authorised, secure flash drives, preferably with on-board anti-malware scanning capability, and lock out unauthorised devices. After all, Trojan horses are no longer larger than life and made of wood.

It seems from a recent report that healthcare businesses have become a specific target for hackers in recent months. International managed security services company SecureWorks says that attempted hacker attacks launched at its healthcare clients doubled in Q4 2009, increasing from an average of 6,500 per healthcare client, per day in the first nine months of 2009, to an average of 13,400 per client per day in Q4 2009.

It’s suggested that there are two main reasons for this: the large amounts of identifiable data on patients stored within healthcare organisations, and the sheer number of possible attack vectors, including web-based attacks and attacks from devices (such as infected, unauthorised USB flash drives).

In some territories, such as the UK and Canada, healthcare bodies are rolling out extensive data security measures (such as secure USB drives with onboard anti-virus scanning). This is a sensible and practical response to the increase in data security risks.

The personal health records of over 83,000 Canadians have been lost on an unencrypted USB memory stick.

The device was lost by a member of staff from a centre in Ontario State, and contained data collected from everyone who attended H1N1 or seasonal flu vaccination clinics in the region over a period of nearly two months. The information included personal information such as names, addresses, phone numbers, dates of birth, health card numbers, doctor’s names and so on. Read More »

The Royal Navy has begun an investigation into how a memory stick containing restricted information on Royal Navy manoeuvres and personnel was found in a public car park, close to the mooring of the Navy warship HMS Hurworth in Belfast, Northern Ireland.

Although the device was handed in to police, an attempt had been made to sell the flash drive and its contents to an Irish newspaper – which suggests the contents of the drive were not protected.  The Navy investigation will focus on trying to establish if the data on the drive has been copied.

Incidents such as this highlight the wisdom of the approach being taken by the US military on the re-introduction of flash drives – including measures such as authorised staff being issued with centrally procured, approved, secure USB flash drives, a ban on all personally owned flash media.  This way, users can enjoy the flexibility of flash drive use without the security risks, as the protection is delivered and managed transparently.

Here are some sobering statistics from a recent US survey of IT professionals.  The leading magazine InformationWeek recently announced the findings of its State of Encryption Survey, which polled the opinions of 499 IT staff. 

Only 14% of respondents said encryption is used across their organisations, and just 38% said they encrypt data on mobile devices.  The main reason for deploying encryption (31%) was to meet regulatory requirements – and there’s a strong reason for this, as 44 US states enforce mandatory disclosure of data breaches, and such disclosure can cost organisations hundreds of thousands of dollars. Read More »

Last week’s episode of the British satirical comedy, The Thick of It, showed how the concept of a major public-sector data loss has become so mainstream that it can be the subject of an entire programme.

The story was based around the accidental wiping of a large volume of citizen data within a Government department, with no backup available, and follows the frantic efforts of the department to stop the news leaking to the press. Read More »

More UK companies and Government departments than ever are reporting data losses to the Information Commissioner’s Office, the UK data watchdog, according to recent data.

Reported incidents grew nearly 100% to 356 data losses in the period between November 2008 and September 2009, compared to 190 incidents between October 2007 and November 2008.

The most common type of loss was due to stolen hardware, usually laptops, with 127 such cases.  Another 71 were due to lost hardware – usually USB flash drives – and 78 due to misaddressed discs or memory sticks. 

It’s hard to say whether the number of losses has increased, or if organisations are simply reporting more losses than in previous years.  But it’s reasonable to assume that many of these losses would not have caused problems if the data had been stored on a secure USB flash drive.

After being banned in November 2008, it looks likely that USB flash drives are about to be reintroduced to U.S. Defense Department computers and networks.

But there will be very strict controls on their use, to avoid future malware and security issues which caused the DoD to suspend the use of all USB memory sticks, removable storage devices and camera flash cards on all networks after a worm infection.

In a recent blog post, the CIO for the U.S. Navy, Robert Cary said Defense officials are finalising details of the new USB security policy.  Cary said in his blog that the important thing is to ensure that thumb drives used in the future cannot transfer viruses to military computers and networks.

Policies will also include practice such as authorised staff being issued with government-owned and procured secure USB drives, a ban on all personally owned flash media, and upgrades to DoD antivirus and malware detection and procedures.  These are all recommended, sensible controls to ensure network hygiene and reduced risks of data losses.