Company Continues Bad Information Security Practices

Stories about thefts of personal data are dime-a-dozen these days, and are generally not worth writing about.

This one has an interesting coda, though.

An employee hoping to get extra work done over the weekend printed out 2004 payroll information for hundreds of SafeNet's U.S. employees, snapped it into a briefcase and placed the briefcase in a car.

The car was broken into over the weekend and the briefcase stolen -- along with the employees' names, bank account numbers and Social Security numbers that were on the printouts, a company spokeswoman confirmed yesterday.

My guess is that most readers can point out the bad security practices here. One, the Social Security numbers and bank account numbers should not be kept with the bulk of the payroll data. Ideally, they should use employee numbers and keep sensitive (but irrelevant for most of the payroll process) information separate from the bulk of the commonly processed payroll data. And two, hard copies of that sensitive information should never go home with employees.

But SafeNet won't learn from its mistake:

The company said no policies were violated, and that no new policies are being written as a result of this incident.

The irony here is that this is a security company.

Posted on May 10, 2005 at 3:00 PM • 20 Comments

Comments

IthikaMay 10, 2005 5:29 PM

Oh, that's horrific, that's car-crash policy that is. You can't help but stare as companies like that blithely do the most absurd and stupid things. Oh, that's painful.

ArikMay 10, 2005 6:14 PM

@Ithika

The rules in this blog clearly say that you have to wait until Israel Tores has written his comments and only then comment.

And more to the point:

Changing the policy is admitting failure.

Admitting failure is acknowledging responsibility

Acknowledging responsibility means accepting liability

Accepting liability means money lost in court

Hence: Admit to nothing, change nothing. Probably unofficially people will be told to tighten control over sensitive data, and after the dust settles someone will make sure some new procedures are in place, but to proclaim that publicly - whoa. A step too far.

-- Arik

Davi OttenheimerMay 10, 2005 6:19 PM

"no policies were violated"

Most of the recent regulation of personal identity information seems to call out electronic data only.

To be fair it makes some sense to focus regulation on electronic data since it is much easier to manipulate and transmit -- far easier to compromise without detection compared with a room full of filing cabinets, or even a briefcase -- but it's the spirit of the law(s) not the letter that is surely violated in this case.

The obvious solution is to recalculate the risks based on the business practice of carrying paper copies and to then update relevant privacy protection policies.

Davi OttenheimerMay 10, 2005 6:21 PM

@Arik
You have cited a policy, and then violated it by citing it...funny. Now you just need to change the policy you cited. :) Very Pythonesque.

ArikMay 10, 2005 6:31 PM

@Davi

The pardox is easy to solve - I am not bound by the policy I'm quoting, therefore I can quote it without violating it.

And Python is my favorite programming language.

-- Arik

kashmarekMay 10, 2005 6:45 PM

Was this a fake robbery? How often has this happened before at this company? Sounds like a setup. Who else knew the information was in the briefcase so it could be "stolen" at such an opportune time?

Dean HardingMay 10, 2005 7:08 PM

My guess would be that they (the theives) weren't actually after the personnel data when they stole the briefcase, that it was just a fluke that it happened to contain personnel data...

Still, it seems pretty obvious that the employee shouldn't have taken it home with him. Why would you need a print-out of all that data anyway? Seems like reams and reams of payroll hard copy would be pretty useless for actually getting any work done.

Saar DrimerMay 10, 2005 7:20 PM

To add to Arik's points:
- The company can say _anything_ (i.e. lie) to the press; they would publish it without checking.
- the public has very very short memory.

There is no way in hell "no policies were violated."

Jocelyn ChappellMay 11, 2005 12:51 AM

"to be fair... attention on electronic..." -- first set of initial UK data protection used to think so too..., until hard copy databases were used to route around legislation.

smiMay 11, 2005 4:22 AM

Has the employee ever heard of VPN? Why can't they just implement a vpn solution and have a policy to allow a particular group of staffs to access the system? This way, this guy doesn't have to print out those copies....duh!

Adam ShostackMay 11, 2005 7:12 AM

I started my own blog post on this by attacking SafeNet, for much the same reasons Bruce did. But then I realized that there's a second dynamic going, that of voluntary disclosure of problems, and I think that encouraging such disclosure is worthwhile.

Clive RobinsonMay 11, 2005 8:26 AM

@kashmarek & @Dean Harding

I suspect that the Employee who had the authority to print out the sensative data without question (or punishment) was fairly senior.

So a little senario, as head of finance etc I have a nice car nice suite and a nice brief case, usually I drive home in the evening and park in my garage go in get changed and go perform some social activites.

However I have to work this week end (what a drag) so I put my bag on the front seat of my car and drive home. On the way I think, "I've nothing in" or "I'll not cook tonight" and drive to some shop or take away. Park my car, get out (maybe lock it depending on how much I am distracted by my thoughts) and go into the shop/take away.

Whilst I am away from my car a theif who knows people park up in this area for shopping etc is looking around. They see a nice expensive car with a realy nice expensive bag on the front seat....

A thousanf years of civilization can take nature out of humans, but nothing takes human nature out of them.

Israel TorresMay 11, 2005 8:26 AM

It is likely "no policies were violated" because they probably didn't have any policies set. It would in reality read:
"Um, whatza-whoozitz? Yeah now we got to write this up and place it in the lunchroom and hopefully someone won't do it again"

One obvious piece of wonder is why in the world did they print all this information out instead of using the data digitally? Not only would it be simpler to secure with encryption, but it could easily fit on a usb key. Perhaps it was the trees marking their revenge.

@kashmarek
The story seemed like a "likely story" to me as well. Investigators are most likely observing the "victim's" bank transactions.

@Arik
har-har, snicker-snicker

Israel Torres

AnonymousMay 11, 2005 8:52 AM

@Bruce

I don't think you quite ment this the way it comes across,

"Stories about thefts of personal data are dime-a-dozen these days, and are generally not worth writing about."

The more they are written about the more likley some numb skull in government is likely to think he might earn votes by doing something about it.

The easiest way to make a "popularist" politician jerk their knee is to get the press ranting on a subject.

Mark J.May 11, 2005 10:41 AM

"The irony here is that this is a security company."
Irony, Bruce? I'd call that criminal incompetence. Pathetic excuse for a security company.

Jason DixonMay 11, 2005 10:48 AM

I'm one of the ex-employees that was a victim of this ubsurdity. I'd like to point out to the readers who think this was a positive step by SafeNet in notifying the public that they're sadly mistaken. All employees and ex-employees *had* to be notified under the FACTA act. Undoubtedly, it was one of these victims (alas, not me) that notified the Baltimore Sun. SafeNet should be wholly ostracized for their negligent policies and re-evaluation of said "policies".

Bruce SchneierMay 11, 2005 1:13 PM

"I don't think you quite ment this the way it comes across, 'Stories about thefts of personal data are dime-a-dozen these days, and are generally not worth writing about.'"

I generally don't write about a story unless there is something new. That's what I meant.

Michael A. PlumleeMay 12, 2005 5:10 PM

Something similar happened at a previous employer. We had to use a numeric keypad entry to gain access to the building and they set everyones password to be the last 5 digits of your social security number. Everyone knew this was the policy. Someone went rummaging through the trash cans in the HR department and found printouts with employees SSNs. They then picked someone's number at random and used it one night to enter the building and steal a bunch of computer equipment. The company quickly realized what happened and changed everyone's password to random numbers and HR started shredding documents.

Stories like this and the Safenet story serve to illustrate that people and sometimes policies are the weak links.

thomasJune 5, 2005 1:41 AM

something like this happened on my previous job. I just worked there and got shell access to the development server. I played around on the box a little to find out .ro kiddies 0wned the box for like half a year.
I found out, told noone but my immediate boss and a couple of close friends.
A couple of weeks later I got fired. Still didn't found out exactly why.
Yes losing job sucks, certainly since I know what I'm capable of, although Ijust graduated, I've been into security for several years.
Yes, the development server was connected directly to the internet, default (not even hosts* files), unpatched (ooold kernel etc. etc.)
Yes it was a security company, providing (IBM)services to some HUGE clients.
Should I go to the press? Seems like a more interesting story than this one.

BangbusOctober 7, 2005 12:26 AM

I'm one of the ex-employees that was a victim of this ubsurdity. I'd like to point out to the readers who think this was a positive step by SafeNet in notifying the public that they're sadly mistaken. All employees and ex-employees *had* to be notified under the FACTA act. Undoubtedly, it was one of these victims (alas, not me) that notified the Baltimore Sun. SafeNet should be wholly ostracized for their negligent policies and re-evaluation of said "policies".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..