As some of you will have seen in today’s Irish Times a laptop containing 171,324 blood donor records was stolen in New York.
” donor records would include details such as name, address, date of birth, gender, blood group and contact phone number. The records on the laptop included any donor details that were updated between July 2nd and October 11th, 2007.”
I’ve spoken to the IBTS, and am expecting a call back later today with some further details. Information they’ve given me so far:
- The information was encrypted with AES 256bit encryption key- anyone’s opinion on the significance of this fact would be welcomed.
- The times reports “The records were in New York, the blood service said, “because we are upgrading the software that we use to analyse our data to provide a better service to donors, patients and the public service”.
The IBTS person, who was just the person on the helpline, said that the person they’d engaged to help them with this asked for some data to test the new system on. Is it best practice to use live data in circumstances like this (leave aside the question as to whether its good practice to fly to New York with it).
I’ve asked did the NY blood service get a copy of these details and whether they were in the Data Protection Safe Harbour programme.
UPDATE: the above was sent to draft instead of being posted.
In the meantime I’ve spoken to the Donor Services Manger.
He told me that the laptop was being carried by an employee of the NY Blood Centre- ie that the NY Blood Centre had been given a copy of the data.
The NY Blood Centre is not on the list from the US Department of Commerce as a member of the Safe Harbour programme.
He’ll come back to me with an answer to the question as to why dummy information couldn’t have been used instead of actual personal data from the IBTS database.
Any other questions which ought to be asked?
More Update: Daragh O’Brien has an excellent expansion of his comment below on best practice in this area on his blog. Daragh is a Vice President of the International Association for Information and Data Quality (IAIDQ), so I’d believe him.
Even More Update: Colm Smyth concurs with many of the things that Daragh said. He also questions whether the encryption used is necessarily as strong as it might be.
6 Comments
1) Why was software testing taking place in the US rather than in a facility in Ireland? User Acceptance testing is usually done by the people who will be using the software (or were there a junket of BTSB people in NYC for testing? If so, will the PAC consider that money well spent?)
2) Why was the information on a laptop and not on a CD/DVD held in a secure location and only loaded to designated servers/desktops/laptops when required in the testing labs? Having it on a ‘floating’ laptop is just not safe practice.
3) If this was not testing of software but development, why was a dummied copy of data not used?
4) Why was a specification for Irish BTSB data not provided to the New York Blood Centre IT team to allow THEM to create a dummy file using US data or other ‘fake’ data… simple things such as the format of an Irish PPSN (not the actual data), the specification of date formats used in Ireland, base reference data for disease types etc, a data file full of John and Mary Murphys all at different dummied addresses in Co. Letravan?
5) Are they totally insane? (because some fool thought this was a GOOD idea).
6) Why was ‘Safe Harbor’ not a pre-requisite for the selection of a software development supplier? Promises in a contract that your supplier will ‘be on their best behaviour’ must be auditable, audited and verified. Vague trust and happy thoughts don’t cut it. Did they audit NYBC’s security protocols to make sure they met the minimum standards of the DPA or did they take it on trust?
7) Why ignore best practice in testing and management of test data? Real data is not an essential thing in testing. Test data that LOOKS like real data (ie is in the same format, has the same statistical patterns in terms of types of ‘duff’ data (things that are in the wrong fields etc).
A simple principle is that data that identifies individuals should not be allowed onto a laptop that the data controller does not actually control. That they cite 256bit encryption as their security is good. However is there a guarantee that the laptop was actually encrypted or was this one of the contract terms that may or may not have been complied with?
If the data was being used for testing I would have assumed it would have been kept within the test environment. If this is a case of an eager bunny in New York bringing work home with him… then we have another layer of lax security.
Development of new software or software upgrades does not require live data. Testing does not require live data, except in very complex processing where the size of the dataset is important for stress testing or there are complex matching or parsing rules that need to be tested against the imperfections you find in reality – and even then a better approach is to profile your data to understand the ‘patterns’ in it (length of strings of text, incidents of data types being entered in the wrong fields etc.) which would need to be replicated in dummy data.
Ultimately I fear that this will lead to a smack on the wrist at middle management level, a stern talking to a senior level and a mass cull of low level flunkies. however this represents a total failure of governance, ignorance of best practice, and a very ‘happy path’ planning approach when it comes to the security of data of a sensitive nature. This is a policy issue and I suspect we’ll find that this approach to security was taken to save a few shillings on the budget.
As regards the security of the 256Bit security… well let’s just say it is a tough nut to crack, with no direct route through it, but a few side doors that rely on speed of access (gets very techie so let’s not go there) so really only are effective when you have physical access to the machine that the data is on and which is running the encryption algorthim. See WikiPedia for more info.
This presumes that the physical computer is not a laptop that gets stolen. It also presumes, even if the laptop is stole, that the data remained in an encrypted state on the laptop.
Personally, I’d suspect that if someone was dumb enough to bring sensitive data from ANOTHER NATION home with them they’d be thick enough to turn off the encryption, particularly if they were working on fixing a software bug and needed easy access to the data to play with to see if that was the cause.
At least the BTSB didn’t burn the data on to two DVDS and stick them in the post to the New York Blood Centre. At least I hope they didn’t.
The only glimmer of silver lining is that if it can be shown that the New York Blood Centre acted outside the terms of the Contract in terms of security and data protection, the BTSB might be able to sue them for their part in this mess.
Of course, the New York Blood Centre’s defence would be “but we assumed you sent us dummy data because only a fricking moron would send us LIVE data”.
A more reasoned post (as opposed to my rant above) can be found HERE
Not content with dashing off one post on this I’ve taken the time to analyse their privacy policy and data protection policy information on the IBTS website. To say they are in somewhat of a pickle from a Data Protection perspective is *ahem* an understatement.
Particularly as the DPC sent warnings around to Govt Depts and State Agencies after the UK bunglings so they were warned of risks etc.
My reasoned rant is to found here.
Simon, you asked for opinions on the significance of the encryption in use. Firstly, I think the IBTS handling of this has been excellent, both in terms of protecting the data being transferred and responding to the subsequent theft. It is easy to fall into a default position of heavily criticising organisations involved in this type of data loss but in this case I would question whether a breach has even occurred – there obviously was a theft of the data but I wouldn’t agree that the data itself has been compromised.
In terms of the facts on this, the IBTS has a detailed statement on their website at http://www.ibts.ie/press_rel.cfm?mID=6&sID=94&ssID=22&yr=2008&relID=61#61 (could be more prominent but the content is excellent). This addresses a number of your points including the fact that a model contract was used rather than Safe Harbour, and that the data sent was actually in the form of database log files rather than a simple data extract. This point regarding the data may explain why live data was used – the data being examined was to do with the actual usage and operation of the IBTS system, rather than just an extract of their database, so creating test data would likely have required setting up an entire mirror system, developing and running detailed test scripts to simulate normal usage, etc.
It does seem that IBTS recognised the potential for data loss in transferring this data and took very reasonable precautions: they put in place a specific agreement covering the transfer and handling of the data, they arranged for the data to be encrypted in transit, they required that the data be encrypted in use, and they sent only a subset of data rather than an entire database (still live data, but shows some consideration). This set of controls would exceed measures put in place by the vast majority of Irish organisations and in my view should be looked on as best practice rather than “sloppy” handling, as was claimed in the Dail yesterday.
The second aspect of this is the handling by IBTS of the laptop theft, again I think their response has been exceptionally good, comparable to the best international examples. Firstly it’s worth considering the timeline of the response – the theft occurred on the evening of Thursday Feb 7th, IBTS was notified on Friday Feb 8th (likely in the afternoon Irish time, given timezone differences). On the following business day, Monday Feb 11th, they notified the Data Protection Commissioner and a further 6 business days later (Tuesday of this week) they disclosed the incident. Having worked on many security incidents this is a remarkably quick disclosure, particularly given that there are at least 3 government bodies involved (DPC, DoH, IBTS).
Lastly I would point out that IBTS was under absolutely no obligation to disclose details of this breach and their example in this should be praised. The statements they have released, the detailed comments from their staff, and the prompt reporting of the incident are again a model for other Irish organisations. ISSA Ireland actually has a meeting on tomorrow, Friday Feb 22nd, on exactly this topic (Security Breach Reporting and Impact) and I doubt we will come up with a better example of how these issues should be handled.
[…] be embarrassing it would not have constituted a breach of the Data Protection Act. I notice from Tuppenceworth.ie that the IBTSB were not quick to respond to Simon’s innocent enquiry about why dummy data […]
Hi Simon, thanks for the link. Actually the encryption strength is fine, it is the fact that this data was on a CD (and potentially on a laptop) at all that is the problem. You don’t share full real data just to show someone how to customise an application.
All the best,
Colm.