Friday, November 18, 2011
(sigh) Another data breach in Hawaii: East West Center did not encrypt sensitive APEC data
by Larry Geller
Today’s lead story reveals that another Hawaii institution, the East-West Center, does not know how to protect sensitive data.
East-West Center President Charles Morrison sent letters dated Tuesday to about 40 APEC Host Committee members informing them of a security breach caused by "an outside source using unusually sophisticated methods that escaped our detection capabilities."
The East-West Center collected birth dates and Social Security numbers from committee members on behalf of the White House so the members could meet Obama and be photographed with him and first lady Michelle Obama Saturday night
[Star-Advertiser, APEC committee alerted to possible data breach, 11/18/2011]
The reporter does not say if he asked if the data was encrypted or not. If the data had been encrypted, then it would not have been breached by an intrusion.
Did the E-W Center simply collect Social Security numbers and keep them in an Excel or Word file?
Had the data been encrypted, they could have published it on Facebook and no one would be able to read it. Even if they detected an intrusion had occurred, they would know that no data was compromised. It is easy to encrypt any data files or email records and to be confident that a computer does not have data usable to anyone even if security is breached.
Aaron Titus, Information Privacy Director of the Liberty Coalition, offered this comment in response to a Disappeared News question:
Anyone can get hacked by a determined adversary, even organizations with very secure systems. Unfortunately the letter to victims raises more questions than it answers. Why and for whom did the East-West Center set up their internet server to share APEC White House credentials, and was the connection secure? If the information was not being shared, then why was it placed on a public internet server in the first place? Are there any other servers which contain sensitive information, that are also connected to the internet at the East-West Center?
I commend the East-West Center for notifying victims and sponsoring a forensic investigation. I hope that they will publish the results of the forensic investigation to the victims-- positive or negative, so that affected individuals may have some closure on this event. Sometimes forensic investigations don't actually occur, and the results are almost never shared with victims.
Leaving unencrypted data on an Internet-connected computer is something like leaving valuables on the back seat of an unlocked car. Sure, if someone takes the valuables they are committing a crime, but the crime was enabled by the negligence of the car owner.
Once an intrusion is detected, it is too late. Prevent, don’t lament. (I made that up myself.)
Click here for related stories.
The East-West Center letter to potential victims is posted on the Star-Advertiser’s Scribd page, which they have not locked down behind their paywall.