Archive for the ‘Breaches’ Category

You’d probably think that Ernst and Young’s “misplacement” of the credit card data for 243,000 Hotel.com patrons was a security issue, but you’d be wrong. Someone uninformed about these things might mistakenly believe that when Veteran’s Affairs lost information on 26.5 million people that there was a problem. But not so! You see, really this missing data is almost a non-issue. You see, these laptops not your oridinary “run of the mill” laptops – instead, they were protected by a veritable “iron wall” of protection: namely, a password in the case of E&Y and a proprietary data format in the case of VA.

You see, according to a memo by a VA representative, all that data containing medical information, personally identifiable data, etc. is in no jeopardy because the format of the file is proprietary – and, of course, therefore safe. You see, without “specialized tools” the data is in no danger. Without specialized text processing applications like “grep” and “wordpad,” the data remains safely locked away from these shady perpetrators; the expensive nature of these tools, and the highly specialized skills required to operate them, are likely to be out of reach for most attackers.

According to the E&Y representative, E&Y’s extensive “data lockdown procedures” require that a user enter a password before access to sensitive data is allowed; as with VA, given that advanced disk-analysis tools like “dd” are so expensive and the experts familiar with hard-disk removal technques are so hard to find, the data remains out of nefarious hands and out of the way of prying eyes. Behold the impregnable fortress of safety!

So thanks to both VA and E&Y for explaining to us all the mitigating factors surrounding this data loss. I was concerned about it before I found out the truth of the matter.

I received this via email from Alan Borack (a friend and colleague) about the recent disclosure by Aetna about losing member data, and with his permission am posting his comments here.

How long do you think it will take for the 2 companies impacted to notify
their employees they are among the 38,000 names on the laptop?

More and more banks are moving towards replacing desktop computers with what
we used to call ‘dumb terminals’ to lower costs and to prevent users from
saving information to the hard drive, cdrom or usb drives. Laptops too, are
being issued only to key personnel – namely technical support and officer
types – the kinds of people who don’t have or need direct access to personal
information of employees or clients.

All good questions from a seasoned veteran of financial services; why indeed do all these folks have our personal data on their laptops?

What is it exactly, do you suppose, that Ernst and Young sells its clients? If you said “auditing services” or “consulting”, you’re right, but I’m asking a more general question than that. To get to the heart of the matter, why would you listen to E&Y moreso than you would listen to your neighbor, a cousin, or that dude on the street that talks to himself?

The answer is Trust. That’s what they sell. At the core of the purchasing decision is the degree to which you do or don’t trust E&Y to deliver the goods – and the confidence that you have that they will add value. They know it, too – take a look at their Overview: “…integrity and professional competence are the cornerstones of our global organization. We work hard to earn and maintain our clients