The province of Newfoundland couldn’t have handled a recent data breach any better, according to security expert, Rian Wroblewski. Wroblewski is the director of open source intelligence with New York-based Tony Joseph and Sons Investigation Inc., the private investigation agency that notified the Newfoundland government last month of a data breach in which a total of 694 files containing personal information were exposed.
The incident occurred when a laptop computer owned and operated by a private company conducting contract work on behalf of the provincial government and the Workplace Healthy, Safety and Compensation Commission, was connected to file sharing program Limewire, and exposed information to the Internet.
On January 22, 2008, Tony Joseph and Sons Investigation contacted the provincial government to notify them that a data breach had been detected.
“We don’t work for the government we just have so many searches that are going out now for current clients that when we get false positives online it’s usually someone else’s information, so we just sort of bumped into it,” said Wroblewski.
As to whether data breaches such as these are a common occurrence Wroblewski said that in the U.S. about 33 out of the Fortune 100 companies are leaking multiple critical data leaks, “All the CIOs out of those 33 know who I am, some of them we work with, and some of them hate to hear from me.”
“In Canada I’d heard that people were complaining because it took a few days to be notified and it’s definitely different standards there then in the U.S., because people over here will wait nine months or a year-and-a-half to announce a breach,” he said.
“If any U.S. corporation notified someone within two days of a pretty large breach they would be considered hero’s in the IT world, but over there (Canada) it’s considered late.”
Newfoundland’s Minister of Justice, Jerome Kennedy announced at a recent press conference that a review of the data breach was conducted by government officials, and Canadian technology company Electronic Warfare Associations (EWA) was hired to conduct a forensic analysis of a laptop computer owned by the company involved in the exposure.
“The processes undertaken have been thorough and I am confident that both EWA and our officials have done a commendable job in identifying the individuals who had their information exposed,” said Kennedy.
The forensic analysis and review determined that the personal information of 153 people was accessed via Internet file sharing program Limewire. The type of information exposed includes names, addresses, and medical and work history.
Wroblewski had nothing but high praise for the way the Newfoundland government handled the data breach, “They’ve handled this better than any corporation or government institution I’ve seen in the United States…they’ve done their due diligence to find out what went wrong.”
Data encryption fuelled by data breaches, regulations