Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 22nd, 2012 in Encryption by Simply Security | Be the first to comment | Tags: Encryption

A British law enforcement agency was fined more than $190,000 following the theft of an unencrypted USB drive that contained sensitive information regarding criminal investigations.

A British law enforcement agency was fined more than $190,000 following the theft of an unencrypted USB drive that contained sensitive information regarding criminal investigations. The removable media had personal data from 1,075 members of the public who had provided statements related to narcotics cases from the past 11 years, the Guardian reported.

The USB drive belonged to a detective in the Greater Manchester Police Drugs Squad. It also contained information about criminal suspects, as well as details on individual police officers and operations. The device was taken in a home burglary of the officer in question, and, since it was not protected by a password, it constituted a major breach of data protection policy, according to the U.K.’s Information Commissioner’s Office (ICO).

"In this particular case the data subjects would suffer from substantial distress knowing their sensitive personal data may be disclosed to third parties even though, so far as the commissioner is aware, those concerns have not so far materialized,” ICO director of data protection David Smith said in a report.

Following a similar 2010 breach, the ICO directed the the Greater Manchester Police Force to mandate the use of encrypted memory sticks. An ensuing amnesty program recovered 1,100 unencrypted devices from staff members. The department stressed that this recent breach was an isolated incident and that it had notified potentially affected individuals, the Guardian reported. Nonetheless, the ICO response was critical.

"It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed,” ICO’s Smith said. “Instead, it has taken a serious data breach to prompt it into action.”

Protecting USB devices
Memory sticks are particularly vulnerable to data breaches since their small size raises the risk for loss, theft or damage. People using a USB drive can take the basic precaution of password protecting and encrypting their data to prevent access even if the device falls into the wrong hands.

ZDNet’s Adrian Kingsley-Hughes has profiled a number of USB devices that encrypt data automatically, noting that this option ensures protection even if the user might normally bypass encryption out of convenience. TechRepublic’s Greg Shultz noted that Windows 7 introduced a feature called BitLocker To Go, which allows users to encrypt a USB drive and make it inaccessible without a password. This feature can serve users in both personal and professional contexts.

“IT administrators can configure a policy that requires users to apply BitLocker protection to removable drives before being able to write to them,” Schultz suggested.

Data Security News from SimplySecurity.com by Trend Micro