An interesting event reported in America where a civilian employee allegedly stole personal information on 80000 serving and former NYPD police officers. It’s being called a “massive data breach” (see here) because it involved the theft of back-up tapes from a data center. However, it’s not reported whether or not the thief had the equipment to extract data from the tapes, the right software to read the data, whether or not the data on the tapes was encrypted, or if – in the short space of time between the tapes being stolen and recovered – whether the data was put to some use. Probably not unless he had help.
This is typical alarmist reporting, designed to do nothing more than sell copy. The real issue is the process failure that allowed somebody to use an expired ID card to fool a security guard.
Two minutes worth of Googling and I came across this: An audit of the Police Department’s (NYPD) data center and computer
security disclosed that there is adequate physical and computer system
security in the data center and that computer operations, as well as
contingency plans, have been tested in compliance with applicable
Federal Information Processing Standards and City guidelines….
They might want to revisit those guidelines!
So, while this was a data breach of sorts, the important bit from my perspective is the fact that a malicious employee was able to social engineer his way into a restricted area. It was an easily preventable incident.