Security Breach Results – Up to $10 Million and 780K Victims
On March 30th, 780,000 people from the state of Utah had their personal information stolen which was residing on Utah state servers. They have estimated the cost of the breach at $2 million to $10 million, which doesn’t include potential federal fines or lawsuits. The costs include, free credit monitoring to all victims, identity theft insurance, a public relations firm to handle the crisis, a health data security ombudsman has been hired, and Deloitte & Touche has been hired to audit the security of the state information technology systems. The fall-out also caused Utah’s largest hospital chain, Intermountain Healthcare to suspend all transactions with the state until the state can prove its computers are secure.
According to the Poneman Institute, 70% of all breaches are due to a mistake or malicious intent by an organization’s own staff. This breach occurred because the information was not encrypted and protected by a ‘real’ password. The director of the Department of Technology Services was fired, and two more employees will either be reprimanded or fired. Ok, what about the 780,000 people whose healthcare and social security numbers were stolen? The government initially informed people using terms such as a ‘possible’ security breach, and ‘information that may have be potentially exposed’. After two months, the Utah Governor Gary Herbert finally stepped up to the plate and put together the above plan.
So what was the problem here? Basically they did not have the right infrastructure in place to encrypt confidential information, a lack of controls, and the lack of a strong password. Putting the infrastructure in place is mandatory. But how do you protect confidential information that is being shared among government agencies, various healthcare organizations and other stakeholders? The problem is tangled in the minutia of everyday activities. The end user is faced with following organizational policies to secure content. How often do these policies fail? So, how does an organization proactively identify potential data exposures in real-time from diverse repositories, fax servers, email servers, and scanned content, etc.?
Addressing unknown internet/server exposures and restricting the ability to download files can prevent 63% of potential exposures before they occur. What about the other 37%? The fundamental problem has been the inability to identify unknown privacy information from within content as it is created or ingested and automatically alert the organization to a potential exposure. Even with strict controls and a best practices approach, unknown privacy exposures can and probably do exist on PC’s, servers, web sites, and a host of diverse repositories inadvertently exposing the organization to data breaches or identity theft.
An organization should have a security application in place that is actively used and monitored. Other tools to augment the application is to use a technology such as our conceptContentTypeUpdater that enables an organization to proactively detect and prevent potential unknown data exposures to mitigate organizational risk. Utilizing advanced algorithms, organizationally defined descriptors and vocabulary, privacy content can be automatically identified and aggregated into a central location for review and disposition.
We have many government clients who are successfully using our software to address unknown data exposures and consider privacy the highest priority. Unfortunately with exposures in government entities, the taxpayer ultimately pays the bill. It’s a growing problem and all organizations should have the tools and infrastructure in place to eliminate unnecessary breaches and protect the identity, in this case, of 780K victims.
Follow us on Twitter