The Massachusetts Secretary of State's office became the latest data breach victim when an employee accidentally released confidential information of 139,000 state-registered investment advisers to a business publication.
The breach occurred when personal information of tens of thousands of investment professionals contained on a CD-ROM was sent to IA Week, an investment industry publication, in response to a request for public information. IA Week had issued an information request of the office's Securities Division for a list of registered investment companies, but was instead sent a list of investment professionals.
A new employee was culpable for the breach by failing to delete the investment advisers' Social Security numbers and other private information, which is normally withheld for such requests.
Altogether, the exposed information included the investors' names, Social Security numbers, birth dates and locations, in addition to height, weight and hair and eye color.
IA Week however, returned the CD, claiming that it had not copied the data. Meanwhile, the Massachusetts Securities Division is pondering whether this qualifies as a data breach, due to the fact that the data was recovered and reportedly wasn't abused.
However, security experts beg to differ.
"The users should treat this as if their personal information is now at risk," said David Berman, director of product marketing for Voltage Security.
If gotten into the wrong hands, the exposed data could be used to obtain a fake ID, which can subsequently be used by hackers to infiltrate or open personal accounts using the victim's personal information, Berman said.
"There's a number of cases where people are interested in purchasing false IDs, whether it's a state DMV driver's license or identification card. That's a concern," he said. "That can create a lot of confusion when people open accounts using a piece of your personal information."
While the breach appeared to be an accident, Berman said that any exposure to personal information could have been prevented if the Massachusetts office had deployed basic encryption technology that would have masked sensitive data unintentionally saved to the disk.
"In this basic case, any encryption at all would have prevented sensitive data being leaked outside the institution," Berman said. "In this case, it's probably more than an unfortunate mistake. There are security best practices, operation processes and some technology requirements that this particular office doesn't have."
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
