Preventing electronic security breaches still comes down to the fundamentals

Madison, Wis. - Joe Campana's recent work on compromised data was not inspired by the data breaches reported in Wisconsin state government earlier this year.

Campana, an identity theft, privacy, and information security consultant with J. Campana & Associates, tracks data breaches in Wisconsin and beyond. As he scanned data loss databases last month, he saw a significant number of breaches in the public sector - both educational institutions and various units of government.

The result of his analysis - a full report with more emphasis on the private-sector is due next month - shows that U.S. public sector data breaches account for more than half of all reported information security breaches, putting more than 60 million consumer profiles at risk.

The sources he checked are compiled by the Open Security Foundation and the Privacy Rights Clearinghouse databases, to which information is voluntarily submitted. Given their voluntary status, it's highly likely that this is not a full accounting. (A full chronology of Wisconsin data breaches reported to the Privacy Rights Clearinghouse since 2005 is provided at the end of this article).

Still, as Campana studied the databases, he said “it was hitting me that wow, there are a lot of government agencies here.” Another thing that was obvious to Campana was the high number of breaches that were preventable with well-communicated best practices and processes.

Lost laptops

In the education sub-sector, where more than 10 million student, parent, employee, and other consumer profiles have been compromised, 35 percent of data breaches involved lost or missing laptop computers or electronic storage devices like thumb drives. Lost magnetic tapes, which are back up tapes used for storing data, also accounted for some of the breaches, as did non-electronic sources like lost paper or microfiche files.

In one episode, the University of Miami (Fla.) School of Medicine had 2.1 million profiles on stolen magnetic tape, Campana said.

For K-12, the top three ways data was lost was through hacking, stolen electronic materials, or through web access. In this sub-sector, stolen laptops accounted for more than 25 percent of the data loss.

Campana pinpoints a lack of best practices as a general reason for these continuing problems. While it's true that hackers and other cyber criminals are becoming more sophisticated, he said it's mostly a lack of best practices, especially when organizations have “information walking out the door” on thumb drives and laptops.

“The laptops are a particular peeve of mine because people don't protect the laptop's data and the solution, encryption, is so simple,” he stated.

Campana said there is a misconception that encryption automatically impacts the performance of computing systems, and that it's expensive and complex to use.

He said consumers can get free encryption programs through services like TrueCrypt and other open-source programs.

While it's true that there will be performance issues for a large database with millions of profiles, encryption is “completely invisible” for the average user, Campana said.

Municipal web woes

With municipal governments, sensitive information often was posted on the Internet that should not have been there. Due to a design flaw, Campana said some municipalities had data that was not protected behind a firewall. For example, cyber criminals had access to certain real estate listings that should not have been on the public side of the Internet.

“A lot of these [flaws] have been caught over the past three years, but that doesn't mean all the sensitive information has been removed,” Campana said.

Campana said there were no electronic data breach reports among the 15,000 township governments in the U.S. because they still rely on paper records and they don't have the controls in place to detect breaches. If there is compromised data in these contexts, it's more likely to be when tax records are thrown in the trash rather than disposed of by way of a paper shredder.

Just about every state, including Wisconsin, has a breach notification law, but other states have established tougher standards for protecting data in the first place. Texas, for example, has data-protection laws with combined penalties of up to $75,000 and a fee of $500 per lost or improperly disposed of paper record. In Wisconsin, a violation of that nature would carry a $1,000 fine, and only for certain industries such as financial services, healthcare, and tax preparation.

Campana credited Texas Attorney General Greg Abbott for actively prosecuting companies for improper disposal of paper records. This has the preventative benefit of increasing public awareness of the issue.

Wisconsin's notification law requires businesses and public sector entitites, including nonprofits, to notify people within 45 days of when they find a breach. If they don't, that lack of notification can be used as proof of negligence when enforcing other laws.

A number of federal data-protection laws have significant penalties, including imprisonment of executives and hefty fines. In Campana's view, Wisconsin really doesn't need a strong state law, and the state attorney general can enforce federal laws. However, that does not mean Wisconsin cannot establish legislation with more bite.

State response

Mike Lettman, director of information security for the state division of enterprise technology's office of security, does not disagree with Campana about the value of encryption, but not in all contexts. Lettman said data encryption would not have prevented any of the reported data breaches in state government earlier this year.

In one case, technology vendor Electronic Data Systems mistakenly mailed 260,000 brochures to Medicaid recipients that included their Social Security numbers on the address labels. Prior to that, the state Department of Revenue sent mailings to 5,000 people with their Social Security numbers visible in the address window. As a result, state agencies have been directed to abandon the practice of using Social Security numbers as personal identifiers.

State agencies that guard sensitive information are looking into what Lettman called full-disk encryption, or “data arrest,” to protect data. By Lettman's count, the state has 52 agencies; only a few now use encryption. Identifying the agencies that should encrypt data involves determining which agencies have sensitive data worth protecting.

“Take the tourism department,” Lettman said. “Would you go out of your way to encrypt data that can be found in a phone book?”

At the state level, Lettman said he is not aware of any data that would not be behind some type of firewall, but even firewalls can't prevent all types of hacks from occurring, he noted.

While a lot of companies don't have the capability “to even know they have been breached,” Lettman said the state has systems in place to protect data from the full range of cyber threats.

According to Lettman, the state has multiple layers of security controls, not just firewalls, in place to protect all sensitive information. He said firewalls are not very useful against the main threat matrix used in web attacks by organized crime to get access to identities or sensitive information.

In this environment, the state needs all the protection it can get. It now gets approximately eight million e-mails per day from the Internet, but only about 400,000 are delivered daily to the state e-mail system, Lettman noted. The rest are dropped as spam or malware.

In addition, the state gets scanned from the Internet about 19,000 times per hour. Lettman indicated that these primarily are hostile scans looking for vulnerabilities or ways to compromise state systems. Moreover, about 45,000 SQL injection attempts are made per day against state systems in an attempt to harvest information.

Related story

• Report: Personal information at peril in public sector

Chronology of Wisconsin data beaches from the Privacy Rights Clearinghouse.

• Sept. 13, 2006, American Family Insurance, Madison. Type of breach: The office of an insurance agent was broken into and robbed last July. Among the items stolen was a laptop with customers' names, Social Security numbers (SSNs), and driver's license numbers. Number of records: 2,089 customers.

• Dec. 2, 2006, Gundersen Lutheran Medical Center, LaCrosse. Type of breach: A medical center employee used patient information, including SSNs and dates of birth, to apply for credit cards in their names. As patient liaison, her duties included insurance coverage, registration, and scheduling appointments. She was arrested for 37 counts of identity theft, and was convicted of identity theft and uttering forged writing, according to the criminal complaint. Number of records: Unknown.

• Jan. 1, 2007, Wisconsin Dept. of Revenue via Ripon Printers, Madison. Type of breach: Tax forms were mailed to taxpayers in which SSNs were inadvertently printed on the front of some Form 1 booklets. Some were retrieved before they were mailed. Number of records: 171,000 taxpayers.

• Feb. 2, 2007 Wisconsin Assembly, Madison. Type of breach: A document containing personal information of Wisconsin Assembly members was stolen from a legislative employee's car while she was exercising at a local gym. It contained names, addresses, and SSNs. Number of records: 109 Assembly members and aides.

• Feb. 19, 2007, Social Security Administration, Milwaukee. Type of breach: Files of disability applicants containing Social Security numbers, addresses, phone numbers of family members, dates of birth and work history, and detailed medical information were lost/stolen when a telecommuting employee abandoned them in a locked filing cabinet at home after a threat of domestic violence. Several of the files were mailed back to the local SSA office months later; others were found in a dumpster more recently, and four were never recovered. Number of records: 13.

• June 27, 2007, Milwaukee PC, Milwaukee. Type of breach: Credit card information for 65,000 was possibly compromised. A service center noticed a file in their server and was concerned that file could contain customers' credit card numbers and personal information. Number of records: 65.

• Nov. 16, 2007, University of Wisconsin-Whitewater. Type of breach: Officials were notified by one individual about his ability to access a online search feature for the schools website. A search feature that could be used to see student names and SSN numbers, along with some other limited student information. Access to the feature was promptly disabled upon notification of the problem. Number of records: Unknown.

• Jan. 8, 2008, Wisconsin Department of Health and Family Services, Madison. Type of breach: SSNs were printed on about 260,000 informational brochures sent by a vendor hired by the state, Electronic Data Systems Inc. (EDS), to recipients of SeniorCare, BadgerCare, and Medicaid. The company agreed to pay $250,000 to the state for the mistake, as well as paying for an identity theft monitoring service for the affected individuals, for a total of about $1 million. Number of records: 260,000.

• Jan. 16, 2008, University of Wisconsin-Madison. Type of breach: The personal information, including e-mail addresses, phone numbers, SSNs, and campus ID numbers of faculty and staff who made purchases from the DoIT computer shop had been accessible on a campus Internet site. Number of records: Unknown.

• Feb 13, 2008, Milwaukee County, Milwaukee. Type of breach: County officials mistakenly released numerous confidential court records for a citizens group's website that detail payments for tests and other costs linked to mental competency, paternity, and guardianship cases. Entries for psychiatric examinations and guardianship fees in which the clients' names were still listed. Number of records: Unknown.

• April 4, 2008, Harley-Davidson, Milwaukee. Type of breach: A laptop computer containing certain Harley Owners Group members' personal information was determined to be missing from their facilities. The personal information stored on the computer included names, addresses, credit card numbers, their expiration dates, and driver's license numbers. Number of records: 60,000.

• April 24, 2008, Harmony Information Systems. Type of breach: A computer program housing personal information about Wisconsin seniors and disabled people had a significant security hole. A senior center volunteer in McFarland, Wis. said he could see hundreds of files of people's private information from across the country in the system run by Virginia-based Harmony Information Systems. The information is entered into an electronic record that includes the person's name and Social Security number. Number of records: Unknown.