Monday, 22 February 2010

The lessons from the Kaiser Permanente breach

Last year, a data breach involving close to 30,000 Kaiser Permanente employees in California was discovered when the suspect’s home was searched for unrelated reasons and authorities found evidence that the data of Kaiser employees had been stolen. The evidence came in the form of dozens of driver’s licenses and credit cards in the names of the Kaiser Permanente victims, whose addresses, date of birth, and social security numbers had been included in the data stolen. Much has been made of the items the suspect allegedly purchased using the stolen data, which included designer dogs and gift cards to expensive stores. The real news item for those in the security industry is how the data was obtained, how easily it was shared, and the inexplicable lapse in time between when the data theft was discovered and the suspect was stopped.

The main suspect in the data theft ring worked for a third-party that had access to the Kaiser employee files. When a third-party has access to confidential data, the risks to that data rise considerably. In the case of Kaiser, the employee information was allegedly downloaded and distributed in a file that was only 17 megabytes in size and, therefore, easy to transport and share. From there, the data was used to obtain driver’s licenses, credit cards and other items.

To put this case in perspective, the breach occurred in 2007, the theft was discovered in 2008 during an unrelated search of the suspects’ home. Kaiser employees were notified in February 2009. For a number of reasons, including the suspect’s being involved in multiple crimes and numerous law enforcement offices’ being involved, the suspect continued to use the data until February of this year. Kaiser offered the employees a one-year credit monitoring package for one year – 2009 until 2010. Since the suspect was using the data as recently as this month, those who suspect that they have been affected will need to continue to monitor their credit.

This case shows the need for a unified investigative process and ownership among law enforcement, the importance of knowing what data is being accessed and by whom at the corporate level, and the need for accountability when a data theft occurs. Next month, we will see the Massachusetts Data Privacy Law go into effect, mandating that any entity that stores or transmits residents’ personal information encrypt the data when it is stored on personal devices or transmitted over the Internet. This is a great first step in what will become an international drive to protect individual data.