Physical theft of server highlights the importance of encryption.

16/12/16 16:46

files.jpegA dentist in the Napa Valley (California, USA) has learned the hard way the importance of encryption. Protecting data at rest (live and archived) is just as important as protecting data in use and in motion.

Napa Valley Dentistry recently notified current and former patients of the physical theft of a server containing their personal information including their social security number.

"What happened?
Someone broke into our locked storage unit, which was within a gated storage facility, and stole a password-protected server. Upon discovery of the theft, we promptly notified the Napa Police Department and will provide whatever cooperation is necessary to identify the perpetrator(s) and hold them accountable. On September 8, 2016, we confirmed that your personal information may have been on the server. In December 2012, Dr. Justin Newberry, DDS, purchased Napa Valley Dentistry, including this server, from Dr. C. Michael Quinn, DDS. The server may, therefore, contain personal information of Dr. Quinn’s former patients who may not currently have a relationship with Napa Valley Dentistry. While there is no indication that your personal information was, in fact, accessed without authorization, we are notifying you out of an abundance of caution and offering you identity protection services.

What information was involved?
The information included names, addresses, dates of birth, Social Security numbers and dental insurance information."

It's good that the Dentistry notified current and former patients of the data breach and even better that they did the right thing in offering credit monitoring and identity protection services for twelve months. What is not mentioned is whether or not the data is encrypted.

On encryption, I'd make two points. 

  1.  Encrypt your backups as well as your live data. 
    Don't forget to encrypt your backups. Backups hold all the same data as your live system.

  2.  Ensure you hold the encryption keys. 
    Using "the cloud"? You may think you're ok as you don't store your own server or backup data. If you use a cloud environment, ensure that you / your organisation holds the encryption key and not the service provider.

What questions should every CEO be asking? 


Written by Berkeley

Founded in the late 1990s, Berkeley serves clients all over the world including Australia, Asia, North America and the Middle East. Berkeley operates three core divisions: Enterprise Application Development (design, development and enhancement of our offerings), Enterprise Security and Systems Support Services (ongoing commitment to client service) and Internet and Cloud Services (making Berkeley applications available using alternative hardware solutions). Berkeley continuously strives to meet the needs of each of its valued clients. Its success has been heavily dependent on repeat/referred service based on its willingness to help information security specialists do their jobs better. Berkeley prides itself on delivering solutions on time, within budget and in accordance with specification.