Latest News

A private contractor working for the Japanese city of Amagasaki lost a USB flash drive on Tuesday after a night out drinking. Given the contractor's occupation in collating and extrapolating specific Covid-19 relief funds to individuals in the city, the USB is of immense importance and wields information on an estimated 460,000 Amagasaki residents.

The city itself announced the news come Thursday, highlighting that the contracted employee first notified the police a day later, on Wednesday, June 22. According to the release, the employee lost a bag containing the flash drive following a visit to a restaurant. Luckily, the information on the USB stick is encrypted and password-protected, Amagasaki itself relays, but it's unclear as of yet if the USB has thus far been found since its loss.

Much of the information contained within the flash drive was valuable, private resident data, including welfare-receiving households' bank account numbers, full addresses, birth dates, tax data, and much more. The contracted employee, who thus far remains unnamed, was reportedly on his way to transfer said data to an Osaka-based call center following work Tuesday evening.

According to the Osaka Info travel website, Amagasaki is a major "hotspot" for nightlife activity. The site itself relays that "socializing with friends and co-workers over food and drink is the norm," which it attributes to so-called "free-flowing" draft beers and whiskey sodas. The city of Amagasaki added via a city official in a press conference:

"We deeply regret that we have profoundly harmed the public's trust in the administration of the city."

According to Japan Times, the USB stick has since been located. Suita police, alongside the contracted employee in question, located the lost bag containing the USB outside a local apartment building, information expressed via the Osaka Prefectural Police department.

Vendors admit many hardware-encrypted USB memory sticks contain a dangerous flaw that make them easy hack targets, and many more may be vulnerable

Several hardware-encrypted USB memory sticks are now part of a worldwide recall and require security updates because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device.

When USB maker SanDisk first received news of the problem last month, the vendor issued a security bulletin that warned customers its Cruzer Enterprise series of USB flash drives contained a vulnerability in the access control mechanism. SanDisk offered a product update online to address the issue and made sure to note the problem only applied to the application running on the host, not the device hardware or firmware.

Now USB vendor Kingston has jumped in with a similar warning, probably because their drives utilize the same code from SanDisk. Kingston's alert informs customers that "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained" on the drives. The company has issued a recall on the devices and urged customers to return them. A warning has also been issued by USB vendor Verbatim.

The drives impacted are equipped with AES 256-bit hardware encryption, which is designed to meet the stringent requirements of enterprise-level security. However, penetration testers with German security firm SySS uncovered a vulnerability that exploits the way the flash drives handle passwords. The exact nature of the flaw is not described on any of the vendor bulletins, but according to an article in security publication The H, "the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism." SySS testers found a flaw that allowed them to write a tool that sent the same character string to unlock the drive, regardless of what password was entered.

The flaw may be contained in other drives as well and more recalls may be on the way, according to Graham Cluley, Senior Technology Consultant with Sophos.

"It's certainly a disturbing vulnerability, and may well lead to other hackers exploring the possibility of accessing what was previously considered 'securely encrypted' data," noted Cluley. "I don't know if other manufacturers also use SanDisk's code, but even if they don't they might be wise to examine their own products and think long and hard about whether they might be vulnerable to similar exploits. Although it's embarrassing to recall a product, it would be much worse to have a product on the market which is vulnerable to this kind of attack."

Cluley, who also blogged about the issue, called the problem "shameful" and said security managers need to be able to ensure proper encryption is used on USB sticks, which can carry a wealth of sensitive information

• Nearly Half of Organizations Have Lost Sensitive or Confidential Information on USB Drives in Just the Past Two Years.

• Ponemon Institute study shows alarming percentage of companies do NOT consider protection of information on a USB drive to be high priority

• Less than a third of organizations believe they have adequate policies to prevent USB misuse

• 12,000 customer records lost on average per organization due to missing USB drives

Flash 08cFountain Valley, CA -- August 9, 2011 --

Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, today announced the results of a study conducted by the Ponemon Institute looking at USB prevalence and risk in organizations. The study found that inexpensive consumer USB Flash drives are ubiquitous in all manner of enterprise and government environments — typically with very little oversight or controls, even in the face of frequent and high profile incidents of sensitive data loss. The Ponemon Institute is an independent group that conducts studies on critical issues affecting the management and security of sensitive information about people and organizations.

​

The study underscores the pressing need for organizations to adopt more secure USB products and policies. A group of 743 IT professionals and IT security practitioners from global companies based in the United States were polled, and all acknowledged the importance of USB drives from a productivity standpoint. They cautioned, however, about the lack of organizational focus regarding security for these tools to meet appropriate data protection and business objectives.

​

The most recent example of how easily rogue USB drives can enter an organization can be seen in a U.S. Department of Homeland Security test in which USBs were 'accidentally' dropped in government parking lots. Without any identifying markings on the USB stick, 60 percent of employees plugged the drives into government computers. With a 'valid' government seal, the plug-in rate reached 90 percent.

​

According to the Ponemon study, more than 40 percent of organizations surveyed report having more than 50,000 USB drives in use in their organizations, with nearly 20 percent having more than 100,000 drives in circulation. The study finds that a whopping 71 percent of respondents do not consider the protection of confidential and sensitive information on USB Flash drives to be a high priority. At the same time, the majority of these same respondents feel that data breaches are caused by missing USB drives.

​

The Ponemon study concluded that a staggering 12,000 customer, consumer and employee records were believed to be lost on average by these same companies as a result of missing USBs. According to a previously released Ponemon report, the average cost of a data breach is $214 per record*, making the potential average total cost of lost records to the organizations surveyed for the Ponemon USB Flash drive study, reach upwards of $2.5 million (USD). Other key findings in the report include:

​

Evidence of widespread compromise is apparent:

• Nearly 50 percent of organizations confirmed lost drives containing sensitive or confidential information in the past 24 months.

• The majority of those organizations (67 percent) confirmed that they had multiple loss events — in some cases, more than 10 separate events.

• Oversight and control of USBs in enterprises can be better:

• Free USB sticks from conferences/trade shows, business meetings and similar events are used by 72 percent of employees — even in organizations that mandate the use of secure USBs.

• In terms of policies and controls, of the hundreds of IT professionals and IT security professionals polled, only 29 percent felt that their organizations had adequate policies to prevent USB misuse.

"An unsecured USB drive can open the door for major data loss incidents," said Larry Ponemon, Chairman and Founder of the Ponemon Institute. "Organizations watch very carefully, and put a plethora of controls around, what enters their businesses from cyberspace. This study drives home the point that they must also take a more aggressive stance on addressing the risks that exist in virtually every employee's pocket."

"Kingston® believes a lack of oversight, education and corporate confusion are factors that lead to the overwhelming majority of data loss when it comes to USB Flash drives," said John Terpening, Secure USB business manager, Kingston. "Organizations fear that any attempt to control a device like a USB is likely to be futile and costly, both in terms of budget and loss of productivity. However, a simple analysis of what an organization needs and the knowledge that there is a range of easy-to-use, cost-effective, secure USB Flash drive solutions can go a long way toward enabling organizations and their employees to get a handle on the issue."

​

Sources: https://www.kingston.com/unitedkingdom/us/company/press/article/40473

www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher

​

​Heathrow Airport Fined £120,000 for Lost USB Storage Drive

The USB memory stick was lost by a Heathrow employee and found by a member of the public on Oct. 16, 2017, who viewed its contents on a library computer. None of the data stored on the device was encrypted or password-protected, the ICO says. The individual then passed the device to the Sunday Mirror, a national newspaper.

​

The U.K.'s largest airport has been slammed by the country's privacy watchdog for a series of missteps that led to a USB memory drive containing highly sensitive information being lost on a London city street, where it was found by a passer by.

​

On Monday, the Information Commissioner's Office announced that it was fining Heathrow Airport Limited £120,000 ($155,000) under the Data Protection Act 1998, which was in effect at the time of the breach.

"Data protection should have been high on Heathrow's agenda. But our investigation found a catalog of shortcomings in corporate standards, training and vision that indicated otherwise," says Steve Eckersley, the ICO's director of investigations. "Data protection is a boardroom issue, and it is imperative that businesses have the policies, procedures and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them."

​

Heathrow is owned and operated by BAA Limited, which also owns or operates six other U.K. airports and itself is owned by an international group led by the Spanish Ferrovial Group.

​

"Following this incident, the company took swift action and strengthened processes and policies," a Heathrow spokeswoman tells Information Security Media Group. "We accept the fine that the ICO have deemed appropriate, and we have spoken to all individuals involved. We recognize that this should never have happened and would like to reassure everyone that necessary changes have been implemented, including the start of an extensive information security training program, which is being rolled out companywide. We take our compliance with all laws extremely seriously and operate within the stringent regulatory and legal requirements demanded of us."

Lost and Found: USB Memory Stick

The USB memory stick was lost by a Heathrow employee and found by a member of the public on Oct. 16, 2017, who viewed its contents on a library computer. None of the data stored on the device was encrypted or password-protected, the ICO says. The individual then passed the device to the Sunday Mirror, a national newspaper. The newspaper made copies of the information and then returned the device to Heathrow.

The ICO says the USB memory stick required no password and encrypted none of the data it was storing, in violation of Heathrow's own data protection policies.

"Although the amount of personal and sensitive personal data held on the stick comprised a small amount of the total files, of particular concern was a training video which exposed 10 individuals' details, including names, dates of birth, passport numbers and the details of up to 50 HAL aviation security personnel," the ICO says.

"The information was visible for approximately three seconds within the video wherein a page of an open ring binder (containing the information) was erroneously captured by the video," the ICO says in the partially redacted monetary penalty notice (PDF) that summarizes the results of its investigation and explains the commissioner's decision.

Heathrow reported the lost device to police on Oct. 26, 2107, the ICO says. The first media report about the data breach appeared on Oct. 29, 2017. "Terror threat as Heathrow Airport security files found dumped in the street," the Sunday Mirror reported, noting that the information included "the exact route the Queen takes when using the airport and security measures used to protect her" as well as a timetable of airport patrols.

The next day, the ICO made inquiries to the airport, after which Heathrow submitted a formal breach notification on Nov. 7, 2017.

Breach Traced to Security Trainer

The ICO says that Heathrow's own investigation found that a relatively junior employee - ironically, a security trainer - had put the training video onto the USB stick. "It appears from HAL's investigation that the USB stick was lost in transit when the staff member was communing to or from their place of work," the ICO says. Heathrow suspended the staff member while it conducted its internal investigation, the ICO says.

"[Heathrow's] data protection manager made 'thought-based determinations' as to which groups of employees had the greatest exposure to personal data and [devised] a strategy for training accordingly."

—ICO

Following the incident, Heathrow on Oct. 31, 2017, "a companywide instruction was issued directing staff to locate any memory sticks in their possession, delete any files contained on the device and then transfer the data or destroy the device according to advice provided by HAL's IT department," the ICO says.

The ICO says Heathrow also notified other regulatory and advisory agencies and contracted with "third-party specialists to monitor the internet and the 'dark web' for indicators that the breach had spread further or that documents were being traded online."

The airport has told the ICO that there is no indication that information was ever accessed by anyone other than the individual who found the USB device or the newspaper.

Security Training Deficiencies

The ICO report catalogs a number of information security polices and guidance issued by Heathrow, recommending that employees avoid or minimize their use of USB sticks whenever possible. At one point prior to the data breach, Heathrow had also advised employees: "Only use encrypted removable devices (e.g. USBs) approved by Heathrow and only use them if there's no alternative."

But the ICO says such guidance was not enforced and was poorly promulgated.

"HAL informed the commissioner that its data protection manager made 'thought-based determinations' as to which groups of employees had the greatest exposure to personal data and a strategy for training devised accordingly," the ICO says. "HAL estimated that only 2 percent of its 6,500 employees had received data protection training, being those deemed to be at greatest risk of exposure to personal data. It also confirmed that such training was not in place for security trainers, including the staff member involved in the incident."

At the time of the incident, Heathrow had technical controls in place to prevent unauthorized access to data, but not to prevent individuals with data access from storing it on unencrypted removable media, the ICO says.

Data Protection Act

The Heathrow Airport breach occurred while the country's old Data Protection Act was in effect, which allowed for a maximum fine of £500,000 ($660,000). ICO levied that maximum fine last month against Equifax after investigating its 2017 data breach (see Equifax Hit With Maximum UK Privacy Fine After Mega-Breach).

The ICO had also levied £400,000 ($520,000) fines against three organizations: TalkTalk and Carphone Warehouse, both of which suffered serious data breaches, as well as against Keurboom Communications Ltd, which made nearly 100 million nuisance calls.

All breaches that occur in the U.K. from May 25 onward fall not only under the EU's General Data Protection Regulation, which came into full effect on that date, but also the country's Data Protection Act 2018, which imposes additional data security requirements on organizations. It also gives the ICO the ability to impose the maximum fines allowed under GDPR.

Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($12 million) or 2 percent of annual global revenue (see GDPR Effect: Data Protection Complaints Spike).

WIKI USB Data News – List of UK Government Losses

1. 2017 Heathrow Airport 2.5GB / 76 folders Lost unencrypted USB storage device containing complete security information for Heathrow airport including badges, maps, CCTV camera locations, etc.

2. 2015 Ministry of Defence British Army footage and photographs of Operation Motorman were found to be missing.

3. 2014 Foreign Office Records of Diego Garcia flights and the UK's role in the CIA rendition programme were destroyed by water damage.

4. 2013 November Suffolk County Council An unencrypted USB memory stick was found containing information from the county’s adult and community services department. It had internal memos and copies of e-mails about forthcoming projects – and it also had tables containing the names of clients.

5. 2012 Greater Manchester Police over 1,000 An unencrypted USB stick containing details of witnesses with links to serious criminal investigations that was being kept in a police officer's house was stolen in a burglary. The force was fined £120,000.

6. 2012 South London NHS Trust 600 Records on 600 maternity patients and their newborn children were lost by misplacing unencrypted USB sticks.

7. 2012 February Office for Nuclear Regulation (ONR) A memory stick containing a safety assessment of a nuclear power plant in north-east England has been lost by an official. The unencrypted USB pen drive, containing a 'stress test' safety assessment of the Hartlepool plant.

8. 2008 November Department for Work and Pensions n/a USB memory stick, apparently encrypted and containing passwords for an old version of the Government Gateway, a website giving access to millions of records of personal data.

9. 2008 September Service Personnel and Veterans Agency 50,500 Three USB portable hard drives with details of staff are allegedly stolen from a high security facility at RAF Innsworth. The Agency holds records on 900,000 current and former personnel. Stolen records included sensitive information about the private lives of senior staff.

10. 2008 August Home Office 84,000 PA Consulting lost an unencrypted memory stick containing details of high risk, prolific and other offenders.

11. 2008 August Colchester Hospital University NHS Foundation Trust 21,000 A manager's unencrypted laptop holding patient addresses and treatment details is stolen from his car whilst on holiday in Edinburgh

12. 2007 November City and Hackney Teaching Primary Care Trust 160,000 "Heavily encrypted" disks containing details of children are lost by couriers. The loss prompted the agency to implement hard drive and USB memory stick encryption systems across all PCs.

​

Source:

https://www.bankinfosecurity.com/heathrow-airport-fined-120000-for-lost-usb-storage-drive-a-11588?highlight=true

​