State Street breach highlights encryption limits, vendor due diligence

By Robert Westervelt, News Editor 30 May 2008 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

State Street Corp. is the latest firm to acknowledge a data breach, after a contractor hired to conduct data analysis lost a disk drive containing the personal information of 5,500 employees and 40,000 customer accounts.

The devil is in the details of implementation with crypto, where a poor implementation of a good algorithm gives a false sense of security. Scott Crawford, analyst, Enterprise Management Associates

State Street disclosed the information on its website four months after it learned of the problem. The financial services firm said Thursday that it began notifying employees and customers of the former Investors Bank & Trust Company, which it acquired in 2007.

"As a precaution, State Street is notifying legacy IBT employees and certain legacy IBT customers that have been identified as having certain personal data on the stolen equipment," the firm said in a statement.

IBT contracted out a legal support service to review its electronic records and compile data for federal regulators as part of the acquisition in 2007. The data was initially encrypted, but State Street said the vendor unencrypted the information when it loaded the data onto computer equipment, which was stolen from its facility.

The information included individuals' names, addresses, dates of birth, and Social Security numbers.

Encryption: Should whole disk encryption products be used with data backup software?  Disk encryption and disk backup play two distinct roles when it comes to enterprise network security. Michael Cobb explains how both of the important tools can be used together. Case Study: Company Deploys Full-Disk Encryption on All Laptops: One billion-dollar company isn't taking chances with data stored on its laptops. It deployed full disk encryption on every machine, an increasingly popular security strategy. The ins and outs of database encryption: While pundits and gurus may say the "easy" data protection option is for an enterprise to encrypt its entire database, the truth is it's much harder than many realize. Worst practices: Encryption conniptions: Through the years, SearchSecurity.com's expert contributors have no doubt spent much of their time pointing out a variety of security best practices.

State Street said it notified state and federal law enforcement, which is conducting an investigation. The firm said it took several months to reconstruct analyze a copy of the data stored on the stolen equipment. So far State Street customers and employees are not affected by the breach. State Street said it would be offering free to the victims that its analysis indicates may be affected.

The loss of disk drives and tapes is prompting more businesses to encrypt data at rest, said Scott Crawford, an analyst with Boulder, Colo.-based Enterprise Management Associates.

In the State Street breach, the vendor handling the data unencrypted the information to conduct its analysis, but never encrypted it again. It happens often and companies sometimes fall prey to a false sense of security when deploying encryption. Ultimately the data is going to be accessed and sometimes another instance of the data is made that goes unencrypted, experts say.

"The devil is in the details of implementation with crypto, where a poor implementation of a good algorithm gives a false sense of security and it's potentially worse than not using encryption at all," Crawford said. "Even when experts are involved, the processes can be a killer."

What technology can do ends at how effective it is in managing or enforcing how people actually work with the data, Crawford said. Banks and financial services firms must comply with Basel II regulations with address operational risk management.

"Financial services have more motivation to be more thorough in managing operational risk, including risks posed by business partners," Crawford said.

Firms should have a centralized vendor management process in place that takes into account risk factors and be continually assessed to determine if the vendor is meeting the security requirements, said Ramon Krikken, a research analyst at Midvale, Utah-based Burton Group.

"Financial institutions are relatively quickly catching up with whole vendor management issue, but security has been an afterthought with vendor management," Krikken said.

Vendor evaluation should include assigning a risk score based on the sensitivity of the outsourced process. Vendor contracts should cover security issues and safeguards based on the risk factors assigned to the data, he said.

"It all comes down to having solid vendor due diligence, an area getting an increasing amount of attention," Krikken said.

Tags: Business partner and vendor security issues,  Risk assessment and management in financial institutions,  Data encryption techniques,  Data breaches and prevention strategies,  Secure data disposal and destruction,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business partner and vendor security issues New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Vendor risk management: process and documentation Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations Risk assessment and management in financial institutions New vendor risk assessment tools address cloud computing Don't forget the cleaning crew in your vendor management program Shifting to a flexible information security framework Threat of insider fraud growing with bad economy Social engineering tests should make sense, not headlines How to combat the insider threat ACH fraud on the rise, experts say Social media: Risk management strategies for financial institutions Podcast: Detecting and investigating insider fraud Download presentations from Financial Information Security Decisions 2009 Data encryption techniques How to secure data backup Too many encryption methods make secure communications difficult Massachusetts data protection law has mixed impact on financials RBS WorldPay agrees to market VeriFone end-to-end encryption Download presentations from Financial Information Security Decisions 2009 Data encryption: Pre-implementation best practices Data encryption: Lessons learned from implementation Data encryption: Q&A with Eric Leighninger Community banks to increase security spending, survey finds Lessons learned: The State Street Corp. breach

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Shared Assessments Program  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary