News Stay informed about the latest enterprise technology news and product updates.

State Street breach highlights encryption limits, vendor due diligence

State Street encrypted its data, but a contractor unencrypted it and lost the disk drive containing the information on thousands of accounts.

State Street Corp. is the latest firm to acknowledge a data breach, after a contractor hired to conduct data analysis lost a disk drive containing the personal information of 5,500 employees and 40,000 customer accounts.

The devil is in the details of implementation with crypto, where a poor implementation of a good algorithm gives a false sense of security.
Scott Crawford,
analystEnterprise Management Associates

State Street disclosed the information on its website four months after it learned of the problem. The financial services firm said Thursday that it began notifying employees and customers of the former Investors Bank & Trust Company, which it acquired in 2007.

"As a precaution, State Street is notifying legacy IBT employees and certain legacy IBT customers that have been identified as having certain personal data on the stolen equipment," the firm said in a statement.

IBT contracted out a legal support service to review its electronic records and compile data for federal regulators as part of the acquisition in 2007. The data was initially encrypted, but State Street said the vendor unencrypted the information when it loaded the data onto computer equipment, which was stolen from its facility.

The information included individuals' names, addresses, dates of birth, and Social Security numbers.

Should whole disk encryption products be used with data backup software?  Disk encryption and disk backup play two distinct roles when it comes to enterprise network security. Michael Cobb explains how both of the important tools can be used together.

Case Study: Company Deploys Full-Disk Encryption on All Laptops: One billion-dollar company isn't taking chances with data stored on its laptops. It deployed full disk encryption on every machine, an increasingly popular security strategy.

The ins and outs of database encryption: While pundits and gurus may say the "easy" data protection option is for an enterprise to encrypt its entire database, the truth is it's much harder than many realize.

Worst practices: Encryption conniptions: Through the years,'s expert contributors have no doubt spent much of their time pointing out a variety of security best practices.

State Street said it notified state and federal law enforcement, which is conducting an investigation. The firm said it took several months to reconstruct analyze a copy of the data stored on the stolen equipment. So far State Street customers and employees are not affected by the breach. State Street said it would be offering free to the victims that its analysis indicates may be affected.

The loss of disk drives and tapes is prompting more businesses to encrypt data at rest, said Scott Crawford, an analyst with Boulder, Colo.-based Enterprise Management Associates.

In the State Street breach, the vendor handling the data unencrypted the information to conduct its analysis, but never encrypted it again. It happens often and companies sometimes fall prey to a false sense of security when deploying encryption. Ultimately the data is going to be accessed and sometimes another instance of the data is made that goes unencrypted, experts say.

"The devil is in the details of implementation with crypto, where a poor implementation of a good algorithm gives a false sense of security and it's potentially worse than not using encryption at all," Crawford said. "Even when experts are involved, the processes can be a killer."

What technology can do ends at how effective it is in managing or enforcing how people actually work with the data, Crawford said. Banks and financial services firms must comply with Basel II regulations with address operational risk management.

"Financial services have more motivation to be more thorough in managing operational risk, including risks posed by business partners," Crawford said.

Firms should have a centralized vendor management process in place that takes into account risk factors and be continually assessed to determine if the vendor is meeting the security requirements, said Ramon Krikken, a research analyst at Midvale, Utah-based Burton Group.

"Financial institutions are relatively quickly catching up with whole vendor management issue, but security has been an afterthought with vendor management," Krikken said.

Vendor evaluation should include assigning a risk score based on the sensitivity of the outsourced process. Vendor contracts should cover security issues and safeguards based on the risk factors assigned to the data, he said.

"It all comes down to having solid vendor due diligence, an area getting an increasing amount of attention," Krikken said.

Dig Deeper on Business partner and vendor security issues

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.