Stop the Empty Assurances about Stolen Data


I've been talking about data breaches (who hasn't, especially since the TJX incident). But there's also Anthem Blue Cross Blue Shield's stolen backup tapes, computers stolen from Towers Perrin, KeyCorp and Boeing, and the latest report from the VA of a portable hard drive taken.

And I've kvetched that there's a critical point that seems to go unquestioned by the press when one company or other reports a stolen laptop. That is, the company or government agency nearly always makes a statement along the lines of, "There's no evidence the data has been accessed by the thieves."

Sure, there's no evidence in that the thief didn't send a letter to the CEO to brag about seeing and using the data for no good. But truly, there's virtually no way to know for sure whether an experienced data thief with decent computer smarts has accessed data on your stolen machine, as Jason Paroff, a computer forensics director at Kroll, made clear in our story on Providence Health System recently.

Now the people at attrition.org, who do a super job of tracking data loss incidents in the United States, provide a succinct assessment of the corporate boilerplate, as well as some basic technological counterpoints to that hooey. Attrition.org is a nonprofit Web site that collects and disseminates security-related information.

Using the Veterans Administration as an example, they pick apart the VA's claim last year that sensitive information on a stolen laptop wasn't compromised. As the VA explained at the time, the laptop was recovered, the FBI did some unspecified computer forensics tests, et voila! They discovered the data wasn't accessed.

"The irony of law enforcement claiming the information was not accessed is that the method used to conduct a forensic examination is the exact same thing an attacker would do to access the data without detection," attrition.org says. "Law enforcement knows this, 'independent examiners' know this and the companies making these bogus statements know this." For example, attrition.org points out, someone using Knoppix, open-source software that boots entirely from a CD, "could potentially bypass security measures implemented on lost or stolen drives. Period." The thief could also remove the stolen hard drive from the laptop and do a bit-by-bit copy to get around any password protection on the machine, attrition.org notes.

I say, can we act like grown-ups now and acknowledge these technological realities of data breaches instead of issuing statements to cover corporate butts?

If they don't do this already, the PR people and senior executives who make the announcement about stolen computer equipment should spend time with their own IT staff first, learning how the missing data can or can't be accessed. Those execs then might decide that rather than assuage fears, the boilerplate language about no evidence of data tampering actually does their organization a disservice.

Such proclamations sound empty and, increasingly, clueless. Saying you have no evidence of anyone's data being compromised just a few weeks after a laptop gets taken isn't meaningful because identity theft may happen months or even years later, as we pointed out in our Providence story. One of Kroll's clients, for example, has had problems crop up five years after its data was stolen, according to Troy Allen, Kroll's chief fraud officer.