Thursday, January 31, 2008

Data Breaches Probed at New Jersey Blue Cross, Georgetown

Via Computerworld.com -

Companies are paying a lot of attention to securing their networks against malicious attackers and other threats, but some still lag in implementing similar measures for protecting data on desktops, laptops and portable storage devices.

The most recent examples are Horizon Blue Cross Blue Shield of New Jersey and Georgetown University, both of which faced data compromises this month.

Horizon today said it has notified about 300,000 of its members of the potential compromise of their personal information following the theft of a laptop containing the data on Jan 5.

A security feature on the stolen laptop automatically deleted all of the confidential information on Jan. 23, a company spokesman said. But it is not clear whether the thief who stole the computer accessed the data on the system before then, he said. The data on the laptop was unencrypted but password-protected.

"We think it is highly unlikely because the files were not readily identifiable as containing personal data," said Thomas Rubino, director of public affairs at Horizon Blue Cross Blue Shield, which services about 3.3 million people.

Rubino offered no explanation as to why the data deletion took place nearly three weeks after the computer was first reported stolen. "Obviously, if we had been able to do it before, we would have done it," he said. Blue Cross Blue Shield was in the midst of a data encryption project at the time of the theft. "Unfortunately, this computer did not have encryption on it," Rubino said. An alert posted on its Web site noted that the confidential information on the stolen laptop included names, addresses and Social Security numbers of its members. The laptop did not contain medical data on any members, the company noted.

The laptop was stolen from a health plan employee in Newark. The employee was authorized to have the information on his computer, Rubino said. But the individual appears not to have followed company policies for securing systems that are taken out of company facilities, Rubino said without offering any specifics.

Blue Cross Blue Shield is offering one year's worth of free credit-monitoring services to those affected by the breach.

-------------------------------

In a past life, I had some exposure to a mobile security system that could trigger data deletion on remote devices anywhere on the internet...how did it work?

You install a software client on the mobile device (cell phone, laptop, etc). This software client silently talks back to its master server, which you place in the DMZ...giving it the ability to talk to remote clients on the internet.

Once a mobile has been stolen or lost, you can set the device to auto-delete all data...but this will only work if the device isn't tampered with at a software level (formatted or disabled) and it is connected to the internet at some point in the future.

Perhaps three weeks in the future....

No comments:

Post a Comment