More Data Security Breaches
The fact that additional data security breaches have recently occurred should come as no surprise. What is so interesting about one of the most recent ones, however, is the way 4.2 million pieces of credit and debit card information at Hannaford Supermarkets appear to have fallen into the wrong hands. This supermarket chain stores this type of information in branch servers that collect and store information sent from its many points of sale before forwarding it to central servers. Perpetrators appear to have broken in to one or more of these branch servers to gain unauthorized access to this information. Ironically, it appears Hannaford Supermarkets was compliant with PCI-DSS data security regulations. To its credit, this corporation promptly notified the credit and debit card holders. This incident shows that although the PCI-DSS regulations are basically sound from a security standpoint, they are by no means perfect; being PCI-DSS compliant is no guarantee that data security breaches will not occur. Hopefully, the PCI-DSS consortium will consider changing these regulations in a manner that will help prevent incidents such as the one that Hannaford Supermarkets experienced.
Additionally, a stolen laptop resulted in sensitive medical data pertaining to 2,500 patients who were participating in a National Institutes of Health (NIH) study being compromised. Superficially, a data security breach involving only 2,500 individuals does not appear to be very noteworthy in comparison to ones in which millions of pieces of data have been compromised (as in the case of Hannaford Supermarkets). The nature of the information compromised in the NIH laptop incident makes this mishap very significant, however. Names of the patients, their medical diagnoses, and information concerning their heart scans were among the data stored on the stolen laptop system. Although federal law requires encryption of clinical trial and similar information, none of this information was encrypted. Although this incident occurred nearly a month ago, the NIH did not notify potentially affected individuals until last week, saying that notifying individuals earlier might have caused undue alarm. What a crock! I hope that news about this incident and the way it was handled causes you to experience the same amount of indignation toward NIH that I feel. NIH was clearly downright negligent in its care (or perhaps better said, its lack of care) in handling these sensitive data, and it only made things worse when it failed to promptly disclose what happened to those who were potentially affected. NIH management ought to be preparing new resumes, if they have not already done so.
The toll from data security breaches continues to mount, yet organizations around the world continue to remain in blissful ignorance unless they experience a data security breach firsthand. The fact that there are so many threat vectors and also that data retention and eDiscovery requirements preclude data destruction practices that were commonplace only a few years ago greatly compounds the risk. One can only wonder how many data security breaches will have to occur before senior management finally catches on that there is a big problem here and that something needs to be done about it.