A report from Japan Today states “A source close to Neo Beat, which also operates the websites of these online supermarkets, said it believes that the approximately 30,000 unauthorized accesses to its database server were likely ‘‘perpetrated by a group of professional hackers.” Japan Today also states “The company’s investigation has found that its database program has a security vulnerability which made it difficult to block attempts from outside to intrude into the database server.”

Organizations should have sufficient perimeter defenses to prevent unauthorized access to internal servers, and there should be tools in place to monitor access and detect suspicious activity, but there are two other lessons to be learned here. First, IT admins need to stay informed of vulnerabilities affecting critical systems like customer database servers and make sure they are patched in a timely manner. Second, had the data been protected with encryption–using a tool  like Zecurion Zserver Storage–the hackers would have retrieved nothing but useless gibberish and the customer data wouldn’t be compromised in spite of the other security weaknesses.

Hell Pizza director Warren Powell said ”We are honestly taking this very seriously. The last thing we have wanted to do is inconvenience our customers. We take customers’ personal details bloody seriously and we spend a lot of money on security.”

Apparently, Hell Pizza needs to learn that the quality of the security spending is more important than the quantity. Unfortunately, spending the most money is not a valid measure of the effectiveness of network security measures. Had Hell Pizza invested in Zserver Storage, the information on the breached database would have been encrypted and the only thing exposed to attackers would be useless gibberish.

It is unknown whether the thumb drive was stolen, or simply lost. But, what is known is that the missing thumb drive contains Social Security numbers, addresses, and phone numbers of the affected individuals.

Cooper University Hospital issues a statement explaining “Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive. The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years. We have advised the residents and fellows who were advised to contact their local police. No other employee information was compromised. Further, No patient information or records were compromised.”

There is no indication that the data on the thumb drive was a violation of policy in any way, but it is worth noting that USB thumb drives are a significant security concern for all organizations. Portable storage media capable of holding 32Gb or more of data could contain untold volumes of sensitive or confidential information. IT admins should employ Zecurion’s Zlock to restrict access for storing data on removable media. For additional data protection, the data on removable or portable media should also be encrypted so it can’t be compromised even if the device is lost or stolen.

Had the information stored in the database been encrypted, the breach of the database would not have exposed the sensitive data.

One way that OU would be able to be certain that student information was not compromised is if the data stored on the laptop, or on servers the laptop has access to was encrypted. I am not sure why these incidents seem to occur almost exclusively at medical establishments and educational institutions, but simply investing in the proper security controls up front can save time, money, and embarrassment for the organization, as well as protecting the personal and sensitive information the organization has been entrusted with.

Examining the issue of data encryption in the cloud, the article states “Several providers of cloud-based backup storage install appliances at the customer site to accommodate encryption, but Flushing was not interested in that setup.”

It also explains “At Flushing Bank in New York, CIO Allen Brewer turned to the cloud for data backup after getting fed up with on-site tape backup. Using Zserver from Zecurion, Flushing is now sending files over the Internet to be stored for backup.”

 Read the white paper Protecting Data in the Cloud to learn more about encrypting and protecting data in the cloud with Zecurion’s Zserver.

Following on the heels of the recent botnet compromise at Penn State University, Tufts University has discovered that “several computers were recently exposed to an unknown virus or malicious software program.” As a result, roughly 7000 alumnus may have had their student ID numbers exposed–and like Penn State University the breached data is legacy data from a time when the university used the student’s Social Security number as their student ID number.

Universities, including both Penn State University and Tufts University, have abandoned that practice, but apparently have not found the time to go back through archive data and old databases to purge legacy information from the servers. While that is still a good idea, and a project that these universities should be pursuing, having sufficient data protection controls in place, such as encrypting the stored data, would ensure that it would not be exposed even in the event of a malware compromise or breach of the server itself.

A small investment in proactive security measures goes a long way and saves the organization from the lost reputation, time, and money involved in responding to a data breach incident.

Penn State has not used SSNs as a student identifier for 5 years, however an archived copy of a legacy database apparently still existed on the compromised server.

A Penn State spokesperson explained that “We have, of course, standard defenses: site-licensed antivirus, unit firewalls, patching, vulnerability scanning, web application scanning, intrusion detection and blocking of confirmed hostile sites or frequently probed ports. When a machine is compromised, it must be re-installed from known ‘good’ media before it’s allowed back on the network, since it’s not possible to truly clean a machine that’s been fully compromised.”

All of those are excellent security controls and fit nicely with established security best practices. However, the data itself should be encrypted so that if and when an attacker figures out how to circumvent those defenses the data itself will still be impervious to unauthorized access.

In a perfect world, simply stating that data should only be stored on approved USB devices, and that all data on portable storage media must be encrypted would be good enough. In the real world, though, simply stating it is not good enough. Stating a policy–without any means of monitoring or enforcing compliance with it–is simply paying lip service to data protection and gambling that a data breach incident will never occur.

West Berkshire Council lost that gamble when an unencrypted USB memory stick containing sensitive information relating to the ethnicity, and mental and physical health of children was lost. The report also contains this quote “It is essential that organisations ensure the correct safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.”

The best option to ensure correct safeguards are in place is Zlock. Zlock allows IT administrators to restrict users from writing to data to unapproved portable storage media. Access can be locked down to devices from a particular manufacturer, or of a particular type. A specific USB memory stick can be associated with each individual user, and all other memory sticks can be blocked.

In the case of West Berkshire Council, Zlock would have been instrumental in ensuring  that users relied on the encrypted USB memory sticks they were issued four years ago, rather than storing data on the now lost unencrypted USB memory stick.