Small Vulnerabilities Can Lead To Catastrophic Results [Part 2]

Not all leaks are the result of malice.

Often, a data loss event is the result of a more conventional crime. In 2009, thieves stole a laptop owned by the US Department of Veterans Affairs. The loss of a single laptop would hardly be an issue for the VA, however, this particular laptop contained the personal information on 26.5 million veterans and active duty personnel. As a result of this information leaking, the VA was forced to settle a class action lawsuit with a payment of $20 million. Though it would be difficult to prevent all theft of hardware, if the VA had implemented a policy of mandatory encrypted data-at-rest, the information contained on the laptop would have remained secure, and the VA would have saved the $20 million that the lawsuit cost.

Not to be outdone by the VA's data leak, in 2009 the US National Archives and Records Administration also experienced their own leak of veterans' sensitive information, a total of 76 million records. The leak occurred because the database containing these records was stored on a RAID array that experienced a hard drive failure. When the drive was deemed un-recoverable by NARA, they sent the drive to the manufacturer for repairs. Unfortunately, before sending the drive, NARA failed to destroy the sensitive data contained on the drive. The sensitive data included names, contact information, and Social Security Numbers. If NARA had a policy of encrypted data-at-rest, or a policy of sanitizing hard drives of sensitive information before sending them off-premises, these record would have never been leaked.

At Cadre, we advise every customer to carefully consider their security policy as it relates to DLP, media control, and physical security, as the costs of inconsistent vigilance can be staggering.