Call for security overhaul in fallout over stolen laptop

20 Feb 2008

Organisations like the Irish Blood Transfusion Service (IBTS) will need to develop a proper data protection plan to ensure large volumes of sensitive data will never be moved without the strictest digital and physical security in place, an expert told

It emerged last night that a laptop containing the files of almost 175,000 Irish blood donors was stolen in New York, leading to fears that the data could fall into the hands of criminals who would know what to do with it.

“Why did this information even need to be transported at all?” asked Chris Mayers, chief security architect with software firm Citrix. “In these days of secure remote access, there is rarely any need for data to be transported anywhere.

“All organisations handling sensitive data need to take steps to keep all data 100pc secure. That means ensuring data is properly encrypted and travels only when necessary: not on ordinary CDs, printouts, or even on laptops, all of which appear to go missing with appalling regularity.

“To safeguard against this happening again, IBTS should keep all data in a datacentre, which can only be accessed from secure devices and, as it is fully protected, patients can trust that their information is kept safe,” Mayers recommended.

However, the fact that the data on the laptop was encrypted and that the IBTS voluntarily disclosed the laptop theft and set up phone lines to deal with the issue is something the organisation should be commended for, says Owen O’Connor, head of the Information Systems Security Association (ISSA).

“I’m not sure a real security breach has actually occurred here, in that the data seems to have been handled very carefully, was encrypted at the time it was stolen, and IBTS were notified of the laptop theft within a very short period,” says O’Connor

“In a sense, the potential issue of actual blood donor data being exposed has been prevented, and other organisations could learn a lot from IBTS in terms of their handling of the data transfer and their handling of the laptop theft.

“I’ll come back to their handling of the incident but in terms of the protection they put in place, it seems they included specific security requirements in their contract with the New York agency, they encrypted the data in transit to New York, they required that the data be encrypted while in New York and they were obviously in close communication with the New York agency since they were notified of this issue so quickly.”

While the data was encrypted, the IBTS said there is a remote possibility it could be unlocked. O’Connor says the real issue is the password protection on the encrypted data.

“Based on the comments I’ve seen and heard from IBTS, it sounds as though the sensitive data was contained within an encrypted volume, probably using a software product like TrueCrypt or PGP. In that case, the main concern would be the security of the password or passphrase used to access the data, in that if it were compromised then the data would certainly be accessible.

“However, given that IBTS seem to have gone to great lengths to protect the data, I wouldn’t be concerned about their using a trivial password, particularly as many of these encryption products (including TrueCrypt and PGP) will actually tell you how secure a particular password is.”

However, O’Connor warned of other more extreme scenarios such as an attacker having already compromised the password from within the IBTS or the agency in New York and then “stealing to order.”

“But I think those are far-fetched in this case, given the circumstances. Personally, I would not be concerned about the data being exposed, provided the information from IBTS and NYBC is accurate.”

O’Connor says the IBTS response to the issue compares favourably with the largest US corporations which have been forced by legislation to notify their customers of loss. “They reacted extremely quickly, provided detailed and accurate information, made executives available for detailed discussion and set up a customer helpline.

“To me this is a blow to the argument that Ireland or the EU needs to introduce mandatory breach reporting legislation, since firstly IBTS are exceeding the requirements of any likely legislation, and secondly they likely would not be required to make a disclosure based on the data being encrypted,” O’Connor concluded.

By John Kennedy