Tuesday 29 March 2011

BP in troubled waters over Gulf oil spill data spill | Naked Security

BP in troubled waters over Gulf oil spill data spill

Facebook logoOver 30,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest internet and Facebook security threats. X

Twitter logoHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats. X

YouTube logoDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos. X

RSS logoHi there! If you're new here, you might want to subscribe to the RSS feed for updates. X

Filed Under: Data loss, Featured, Law & order, Privacy

US National Public Radio (NPR) reports today that BP's Gulf oil spill woes - which already include paying out compensation amounting to a whopping $4,000,000,000 - have been worsened by a data spill.

Ironically, the lost data includes personally identifiable information (PII) about some 13,000 oil spill compensation claimants.

NPR reports that names, addresses, phone numbers and social security numbers - a key aspect of personal identity in the USA - were amongst the data lost.

The sobering part of this regrettable incident is that it happened because a single laptop was lost or stolen "during routine business travel". And laptops are easy to lose - back in 2008, we wrote about a survey which found that 12,000 laptops are lost every week at US airports alone.

(Re-read those numbers above. When I first saw them in print, I misread the figure as "12,000 laptops lost per year", which sounded bad enough. It took a while before I realised that the rate was per week - 50 times higher than the number that had already got me worried!)

Back in that 2008 survey, almost three years ago now, 53% of people said that their laptops contained confidential business information, with two thirds having taken no measures to secure their data. Clearly, some companies still aren't taking appropriate measures.

We all need to lift our game, even in countries like Australia, and much of the rest of Asia Pacific, where security breaches can simply be swept under the carpet thanks to the lack of mandatory disclosure laws.

Even if you're the sort of organisation which is willing to take risks with your own data - sales forecasts, trade secrets, and that sort of thing - you have a clear moral duty not to take risks with data you keep about other people.

Unfortunately, in those parts of the world where encryption and mandatory disclosure are not enforced by law, many sysdamins are being squeezed by budgetary pressures to do as little as possible about encryption-related security.

I'm not sure I understand that sort of economy. Surely your customers (or students, constituents, clients - whatever you call them in your sector) will value your service much more strongly if you can show that you are willing to do what's right and safe with their data?

Why not consider the value of encryption to your business, instead of considering only the cost?

(To protect data on your own computers, especially if you intend to back it up or want to share it securely with friends on the web or via email, why not pick up a copy of Sophos Free Encryption for Windows today? Direct download - no registration required.)