Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

The news just broke in a US Navy Times report that the names and social security numbers of over 130,000 US Navy sailors were compromised last month. NCIS - that Federal agency that no-one had heard of until 10 years ago - is investigating. And you can see why. Not only does this pose a serious threat to the personnel in their private lives, given the nature of the data it should at least jingle a few nerves of those responsible for America's national security, too.
How did it happen? They were on a Hewlett Packard contractor's laptop which was, to use HP's words, "compromised" allowing persons unknown to gain access to the information.
It is good that HP know of the situation, and of course that they observed their responsibilities in notifying the Navy. (Do they know through monitoring and auditing, or through some kind of user disclosure?) You have to wonder - given that the Navy was notified last month - why it then took until yesterday, the eve of one of America's most deeply observed national holidays, for the victims to be notified. That delay could have been costly, although the investigators are currently reporting that they have yet to find evidence of any malicious use of the information thus far.
The two bigger questions, though, are why the data was on a portable device in the first place, and how it was possible for an unknown third party to gain access? Two fundamental rules of data security are not to keep sensitive data that can be accessed by other secure means on portable devices, and if it is necessary ensure it is stored securely in encrypted form and only decrypted on strict need. And there's a third more generic rule: never leave a personal device (be that desktop, laptop, tablet, mobile 'phone or what have you) unlocked and unattended (and of course the fourth no-brainer: never tell someone your authentication details). It is hard not to wonder which, if not all, of the above rules were broken.