Allowing users to carry sensitive data on a portable computing device creates a certain amount of risk. But here’s a data breach that occurred because several pieces of IT equipment were stolen from an employee’s car.
Cbr Systems, a blood blank based in San Bruno, CA, recently entered into a settlement with Federal Trade Commission (FTC) after an incident in which personal information about nearly 300,000 people was breached.
According to the FTC complaint, the breach occurred when unencrypted backup tapes, a laptop, a portable hard drive, a USB drive and other Cbr-owned IT equipment were stolen from an employee’s car.
The drives and tapes contained Social Security numbers, credit and debit card numbers, contact information, medical history, and other sensitive information about donors. In addition, personal information from registered visitors to Cbr’s website was stolen as well.
And as if that wasn’t bad enough, the stolen laptop also contained information about the company’s network, including passwords and network protocols, which could potentially be used to commit attacks against the company in the future.
Although the settlement included no civil penalties, Cbr did agree to improve its security practices. According to the FTC, the company failed to implement reasonable IT security policies and procedures. Primarily, the data should have been encrypted and the company should have had a policy against carrying around devices containing unencrypted sensitive information.
Another lesson: Don’t keep unnecessary data
A lot of data breaches happen because equipment was stolen when an employee took it out of the office. That’s why encryption is such a critical IT security tool. But this incident also contains another valuable lesson for companies: It’s critical to be aware of what information is being stored and to have a process in place to make sure that data is deleted when it’s no longer needed.
In addition to the other allegations, the FTC argued that Cbr kept too much information for which it had no business need, and failed to make sure service providers were destroying information that was no longer needed.
- Never collect more sensitive information than they need
- Have policies pertaining to how long different types of data should be held, and make sure it’s deleted after that point, and
- Periodically audit data to find and delete unnecessary information.