Link: Home Depot and Iron Mountain report missing data.
looking in to Iron Mountain’s Live Vault online backup service when I ran across this story from searchsecurity.com.
Apparently,
in two separate incidents, home improvement Goliath Home Depot has lost
information, including social security numbers, on some 10,000 employees when
the notebook computer was stolen from the car of a company manager.
Then in a
separate incident, data protection megalith Iron Mountain lost a decade worth of data from the state of Louisiana,
including social security numbers, of almost every state college applicant for
the last decade.
In both
incidents, lax security practices were to blame including the lack of
encryption of the data lost. This brings us to the whole point of this post;
with the capacity of media (tapes, disk, USB drives, etc.) becoming almost
cavernous, the ability to transport multi-gigabytes of personal information for
entire organizations becomes trivial. I personally have a USB drive on my key
chain that has a capacity of 16GB.
This
entire large capacity media presents an enormous security risk for information
theft of people and organizations. The need for data encryption of media is
critically important. We can no longer rely on information being secure within
the organizational perimeter; the simple loss of a laptop, the loss of a USB
drive or backup tapes creates an opportunity for theft of identity and loss of
confidentiality.
This isn’t
about garrisoning the organization either; management of a PKI in most
organizations is difficult to manage. Pareto was right, and the 80/20 rule goes
a long way to mitigating risk. Solutions for removable media include simple
open source applications like TrueCrypt
(an great open source tool) that provides 256 bit AES
encryption, this application can be used for creating secured virtual disks on laptop
drives and USB drives.
For other
types of removable media, tapes and so forth, most backup tools, ArcServe, etc.
provide means of encryption of tapes.
You can
find more information of commercial and open source encryption software at this
Wikipedia
article.