Archive for the ‘Data Breach’ Category

« Older Entries
Newer Entries »

Federal Agency File Transfer Security Study

Wednesday, May 12th, 2010

A recent report by MeriTalk entitled “Why Encrypt? Federal File Transfer Report” offers interesting data and recommendations regarding securing the transfer of federal data.  Perhaps most alarming was the significant use by those surveyed of unsafe methods for transferring files:

•  66% use physical media (e.g. tapes, CDs, DVDs, USB drives)

•  60% use FTP

•  52% use personal e-mail accounts

and also the disappointing data that “currently just 58% say employees are aware of secure file transfer policies.”  The study was commissioned by Axway and illustrates the gaps between what should be happening to secure the transfer of data and what is actually happening.

Use of Accellion secure file transfer within the federal government has been steadily growing with recent Accellion government deployments at:

•  US Securities and Exchange Commission

•  NASA

•  State of Florida, Department of Transportation

•  Government of Newfoundland and Labrador

•  Government of Saskatchewan, Information Technology Office

It seems from the recent study there is still more work to be done in securing file transfers by Federal Agencies.  We are here to help.

Posted in Accellion, Data Breach, Data Security, FTP | No Comments »

Health Records on USB Stick found in UK Car Park

Wednesday, May 5th, 2010

Another day, another data breach.  The BBC reported today that a memory stick containing health records from a nearby secure hospital facility was found by a 12-year old boy in a supermarket car park in the UK.  The information contained records of violent patients from the Tryst Park severe mental health unit at Bellsdyke Hospital, along with information about staff.

This is really getting silly.  As a spokesperson from the health authority NHS Forth Valley said “We have clear policies in place on the safe use of portable data devices.”  It seems that these clear policies either:

  1. weren’t clear
  2. didn’t cover the Asda Car Park
  3. were ignored

As mentioned before in the Accellion Blog the best idea with portable flash devices and USB sticks is DON’T USE THEM to transfer sensitive information - file transfer via USB stick is not a good idea.  Abstinence in this case really does seem the best idea.  Accellion secure file transfer technologies make it possible to quickly, securely and efficiently transfer sensitive information thus avoiding creating headline news such as today’s.

Another side benefit of using secure file transfer, other than securing the transfer of files, is it makes staff more conscious of the handling of confidential information. Did the person who dropped the USB stick in the car park really mean to take the records to Asda, or did they just forget the USB stick was in their pocket, which just happened to have a hole in it? In the case of information security humans are often the weakest link.

Sometimes safeguards are just that, they guard people from their own mistakes.  So next time you visit the local supermarket check your pockets beforehand.

Posted in Accellion, Data Breach, Data Security, Healthcare, UK | No Comments »

Police responsible for first UK data loss subject to new fines

Wednesday, April 21st, 2010

Last Friday was not a good day for the Gwent Police in the UK.  The personal information of 10,000 people was accidentally emailed by the Gwent Police to a journalist at The Register, resulting in the first major UK data loss since new fines were introduced by the UK Information Commissioner.

It was bad enough that a Microsoft Excel spreadsheet containing birth dates and criminal record checks was sent unencrypted and without password protection.  To accidentally include in the CC: field, the email address of a journalist at The Register turned this into a high profile data breach.  The Register email address was in the system because it had been used earlier for two unrelated Freedom of Information requests.

IT staff were immediately called in to tighten security measures to avoid similar incidents occurring in the future.  As a minimum that should include a secure file transfer system, content monitoring and filtering and data encryption.

While The Register has cooperated with Gwent Police in deleting the file they did not feel compelled to comply with requests not to mention this story.

Posted in Accellion, Data Breach, Data Security, Email Attachments, UK | No Comments »

Digital Copiers and Scanners – Digital Time Bombs

Tuesday, April 20th, 2010

CBS News chief investigative correspondent Armen Keteyian wins the Accellion Top Sleuth award this week, with his story on Digital Photocopiers Loaded with Secrets. Holey Moley, what were people thinking when they discarded their digital photocopiers?  Digital copiers contain hard drives that store images of documents, scanned, copied and emailed from the machine.  Extracting this info from discarded photocopiers is not much of a challenge, especially when the disk is not encrypted. Apparently one photocopier even had a sensitive document still under the copier glass. While major manufacturers of digital copiers and scanners offer security and encryption packages, there is mounting evidence that organizations aren’t generally aware of the security risks inherent with these devices.

So why the interest by Accellion in digital copiers and scanners?  We’ve had our eye on these little beasties for quite some time as potential sources of data leakage. Today’s digital copiers and scanners provide the ability to scan a document and then email the resulting digital file as an email attachment. Without security controls, digital copiers and scanners pose a serious threat to protection of intellectual property and non-compliance with regulations such as HIPAA. In addition, scanned documents create huge email attachments that wreak havoc on email performance.  A couple of years ago we introduced the SMTP Satellite to plug this security hole and improve email performance.

With the Accellion SMTP Satellite organizations can secure and track the transfer of scanned documents and offload delivery from email.  And we’ve written earlier on our view that disk and data encryption is always a good idea.

Posted in Accellion, Data Breach, Data Security, Email Attachments, Product | No Comments »

Failing Grade For Student Data Breaches

Wednesday, March 31st, 2010

It’s not been a good week, or month, for protecting the personal information of students.  If it wasn’t bad enough having to take out a loan for college, 3.3 million students now discover that their student loan information has been stolen from Educational Credit Management Corporation as reported in eWeek yesterday.

Also this week, across the pond in the UK, 9,000 students had their personal information stolen from a Barnet Borough Council member’s home. In this case the information included not only names and addresses, but indicators for language, gifted and talented, and special education needs.  Based on the response by Barnet Borough Council to this data breach, it is safe to assume that the wisdom of storing such sensitive information on unencrypted CD-ROMs and USB memory sticks, is not being viewed as gifted or talented.

And then earlier in March there was the data breach at Vanderbilt University affecting 7174 students, and the Cal State University in Los Angeles data breach of math grades and SSNs for 232 students, and then the P2P breach at New Mexico State University that exposed 300 students SSNs.

It seems a rather cruel lesson to become a data breach victim even before you are out of school.  We started an initiative a couple of years ago to encourage educational organizations to provide secure file transfer capabilities for use by faculty and students and Help Prepare Digital Natives for the Workplace.  I’m happy to report that many universities have now deployed Accellion to protect the transfer of sensitive student information, and in the process are training a whole new generation about how to protect sensitive data.

If you handle student data and are concerned about your file transfer security grade report, please give us a call.  We are here to help.

Posted in Accellion, Data Breach, UK | No Comments »

DLP and Archiving coming back to life?

Tuesday, March 16th, 2010


I sit in on a lot of Sales calls at Accellion and have noticed a new trend in the past few months. It used to be when we brought up the need for Archiving or DLP integration with Accellion, that organizations would say they do have this requirement but aren’t doing anything about it right now. Suddenly it seems to be the new hot topic…must have DLP, must Archive. Now this isn’t every company I talk to, but I am surprised at the types of companies who say they need this. Especially the retail sector. I also hear it from Law offices, which makes sense. I think last year lawyers were holding back on any new systems, but now suddenly have a pent up need for this.

Is this upsurge in demand for Archiving and DLP a result of the economy getting better or because organizations have been going without protection for so long that they are getting nervous about getting caught? Anyone have an opinion?

Mary Nicknish, Accellion Product Manager

Posted in Accellion, Data Breach, Data Security | No Comments »

Top 3 File Transfer Security Mistakes

Tuesday, March 9th, 2010

Thought it might be helpful to share our perspective on the Top 3 Security Mistakes related to File Transfer along with some tips on how to avoid them.  After all, staying out of trouble is half the battle.

Mistake #1  - Using P2P file sharing software at work.

Using P2P file sharing in the workplace is just not a good idea. Installing P2P file sharing on a work computer can get you into a heap of trouble by inadvertently exposing computer files externally. The FTC recently had to inform 100 organizations that personal customer and employee data was being shared on P2P networks.  Legislation is under review that would require stricter notifications on the security hazards of P2P file sharing.  The best advice here is to practice P2P workplace abstinence – don’t use P2P file sharing in the workplace.

Mistake #2 – Sending confidential information via an email attachment, USB stick or CD

Email attachments, USB sticks and CDs are not a secure means of file transfer. When sensitive information is sent unsecured then an organization is at risk for non-compliance with industry and government regulations including HIPAA, SOX, and GLBA.  Files containing confidential information need to be protected to avoid data breaches. USB sticks and CDs, can easily be misplaced or lost in transit as the UK Government discovered in 2009 when disks containing personal information on 25 million UK citizens went missing in the Royal Mail. Email attachments are not secure and do not provide the encryption required by HIPAA. If a file contains confidential information it needs to be sent via secure, encrypted channels.

Mistake #3 – Forgetting to cleanup files on un-secure FTP servers

Everyone knows that FTP is not the most user friendly business application, and cleaning up files previously uploaded to an FTP server probably ranks right up there in priority with cleaning out the lint from your trouser cuffs.  In the hands of business users, FTP servers become a security breach waiting to happen.  Files uploaded and left indefinitely on the FTP server, can result in many years worth of files sitting out on unsecured FTP servers.  Coupled with the commonplace sharing of FTP account names and passwords, FTP servers are often a weak link in an organization’s data security program.

The good news is that managed file transfer can keep you out of trouble in all these areas.

Posted in Accellion, Data Breach, Data Security, Email Attachments, FTP, P2P, UK | No Comments »

Email Attachments – Misconceptions Compromise Security

Wednesday, March 3rd, 2010

Are organizations aware of the security risks from email attachments? Generally not.

With email attachments typically accounting for more than 70% of e-mail volume, the bulk of data on email systems resides in the email attachments not email messages. Unfortunately in many organizations the management of email attachments is an afterthought leading to security vulnerabilities.

The disturbing reality is that users will try to force as much information through email as they can get away.  Without adequate security controls in place users commonly send confidential information unprotected through email attachments.  In cases where users hit email attachment size limits, they rapidly seek out unsecure IT workarounds such as thumb drives, CDs, P2P file sharing, just to get their job done.

So why the apparent lack of concern regarding the security of email attachments?  Here are just 3 of the common misconceptions:

•  Misconception #1: E-mail attachments are limited to 10MB; therefore, the risk of a data breach from file transfer is minimal.
•  Misconception #2: FTP is available; therefore, the risk of a data breach from file transfer is minimal.
•  Misconception #3: We haven’t experienced a security breach from unsecure file transfer, so the risk of a data breach from file transfer is minimal.

To learn how these common misconceptions compromise security read the full article published in Enterprise Systems this week.

Given the increased profile of data breaches and updated and extended compliance regulations such as HIPAA, now is not the time to ignore security vulnerabilities. Organizations, large and small, are waking up to the hazards of email attachments and are deploying managed file transfer solutions to protect confidential information and ensure compliance.

Give us a call if you would like to review the security of email attachments and investigate deployment of a managed file transfer solution to protect your organization.

Posted in Accellion, Data Breach, Data Security, Email Attachments, FTP, HIPAA, P2P | No Comments »

FTC Raises P2P File Sharing Alarm

Wednesday, February 24th, 2010

The Federal Trade Commission raised the P2P File Sharing Alarm this week by sending letters out to 100 organizations informing them that personal information on customers and employees was being shared via P2P networks.  The FTC news was widely reported this week including a comprehensive article in InfoWorld.

The FTC Peer-to-Peer File Sharing guidelines for businesses includes this advice “Any company that collects and stores sensitive information must consider the security implications of using P2P file sharing software and minimize the risks associated with it.”

This isn’t news to Accellion – we have been raising awareness of hazards of P2P file sharing for quite some time.  Many business users don’t realize that the same P2P software they use to freely exchange personal files may also be configured to access and share virtually all of the files that reside on their computer hard drive or network servers.  In a business environment this leaves organizations exposed to potential data breaches.

Here are a couple of recent Accellion articles on this topic:

•  Is P2P changing How You Prepare for a Security Audit? published in the SOX Compliance Journal
•  Secure File Transfer – P2P Alternatives – published in Enterprise Systems.

Concerns regarding data breaches from P2P file sharing have been brewing for a while.  Some of the more interesting P2P embarrassments from last year included, Rampant P2P Medical Data Leakage and Obama’s Helicopter Plans leaked over P2P.

In a nutshell, P2P file sharing creates security vulnerabilities for organizations and Accellion’s advice is that implementation of a secure file transfer solution will safeguard organizations and their users from the hazards of P2P files sharing.

If you are one of the organizations who received a letter this week from the FTC, or are worried you might be next on the list,please give us a call – we’re here to help.

Posted in Accellion, Data Breach, Data Security, P2P | No Comments »

Shell Hit By Massive Data Breach

Wednesday, February 17th, 2010

The Register reported this week a massive data breach at Shell.  A contact database of 176,000 staff and contractors at Shell was copied and forwarded to activists and lobbyists.  The interesting twist to this data breach is that the contact database was reportedly emailed out on behalf of 176 “concerned staff”.  Investigations are already underway by the Chief Ethics and Compliance Officer at Royal Dutch Shell to get to the bottom of who downloaded and distributed this sensitive information but it certainly was not authorized.

While Shell is downplaying the confidentiality of the data that was stolen, this data breach raises important questions regarding the vulnerability of other data.  A contact  database for 176,000 contacts is no small file, so it will be interesting to learn what systems were used for downloading and distributing the data and what safeguards were or were not in place to prevent such a breach.

One thing is for certain, if Shell had a managed file transfer system in place they would have records of the who, what, where and when of every file transfer going out of the company.  It would be a good starting point in tracking down those responsible.

Posted in Accellion, Data Breach, Data Security, UK | No Comments »

« Older Entries
Newer Entries »