theft of blood bank records

[ClubMan]

Again the IBTS spokesperson on Newstalk last night said that they were still trying to clarify with the Data Protection Commissioner what, if any, data protection issues arose here.

 

[And76]

Waste of money sending all the letters, i can live with being on a mailing list, worst case scenario. I'm sure they could put info on their webiste and take calls from any worried people instead

 

[demoivre]

myself, I was agreeing with you and merely reinforcing your own point.

Apologies, I misinterpreted what you said.

 

[rmelly]

Was the data not scrubbed of any identifying information (Surname, dob, phone number, address) BEFORE handing it to an american company?

I work with US info every day and if it's real data, then it MUST be scrubbed of such details. Data Protection and all that.

From experience this doesn't happen - and is not even considered by most (if not all) of the numerous government departments, agencies etc. that I have dealt with in the last decade.

 

[Complainer]

Some more details on the people affected and encryption used on the [broken link removed].

I'd be worried about identity theft - setting up of credit cards or mobile phone accounts etc using the stolen identities.

 

[Brendan Burgess]

As the question has been answered, I am moving it to Letting Off Steam

 

[scatriona]

Some more details on the people affected and encryption used on the [broken link removed].

I'd be worried about identity theft - setting up of credit cards or mobile phone accounts etc using the stolen identities.

Don't you need utility bills, proof of ID etc to get a mobile phone or a c. card?

S

 

[ClubMan]

Just on the technical issues mentioned in the PR:

state-of-the-art data encryption was used. The records were on a CD that was encrypted with a 256 bit encryption key.

This doesn't mean much if, for example, access to the decryption process was secured using only a simple password which, once found/guessed, would give full access to the data. If they wanted to be transparent then they really should have explained what specific tools/technologies were used here. The lack of such detail raises as many questions as it answers.

These records were transferred to a laptop and re-encrypted with an AES 256 bit encryption key.

Sounds like they were copied in the clear and then re-encrypted in which case temporary copies of the data in the clear could remain on the hard disk.

Not saying that a random mugger or their fence etc. is going to care or that the loss of this data is necessarily going to have that many negative implications for those involved* but just pointing out some possibly pertinent details.

* Myself included in all likelyhood.

 

[ajapale]

Does the IBTS have a documented quality management system?

 

[GeneralZod]

I wouldn't be surprised if it emerged that the developer was lazy and decrypted the data to work with it and was walking around with both encrypted and unencrypted versions of the data in plain sight on his laptop. It doesn't sound like they were using an encrypted filesystem either so it's likely the data is there in the clear waiting to be found with the right tools even if he didn't make that mistake. That's giving them the benefit of the doubt by assuming IBTS picked a pass phrase that could not be easily cracked with a dictionary.

 

[ClubMan]

I know that if I was writing a press release about that sort of situation then I would emphasise the positives and gloss over or ignore the more embarrassing bits.

 

[ClubMan]

Actually - here's another interesting strategy for getting at encrypted data!

 

[GeneralZod]

Actually - here's another interesting strategy for getting at encrypted data!

That's one for the tin foil hat brigade.

 

[ClubMan]

Note that you may also be able to retrieve lots of other (seemingly secret) useful data from memory using that approach.

 

[RainyDay]

Looks like the Data Protection Commisioner have published the results of [broken link removed].