The United States Internal Revenue Service (IRS) has admitted that an employee took home a USB drive containing unencrypted data on 20,000 fellow workers.
According to Bloomberg, the tax agency systems were not breached despite the Social Security numbers, names and addresses of employees and contract workers being potentially accessible online because the thumb drive was plugged into the employee’s unsecure home network.
The IRS said it had no knowledge of the information being used to commit identity theft, but commissioner John Koskinen said that the incident “is a powerful reminder to all of us that we must do everything we can to protect sensitive data, whether it involves our fellow employees or taxpayers.”
The IRS is contacting the current and former employees involved, almost all of whom worked in Pennsylvania, Delaware and New Jersey. The information dates to 2007, before the IRS started using automatic encryption.
Mark Bower, VP of product management and solutions architecture at Voltage Security, said: “Today, with contemporary data masking and de-identification technology, there’s no need to have employees handle sensitive data in high risk environments. Whether its big data sets, test data or for analytics, data de-identification technologies are available at very lost cost to protect the data itself, yet render it useless to attackers.
“20,000 records can be de-identified in a few seconds, allowing the employee to still perform analytics or use the data set for testing and developing applications without exposing live data. Encrypting the USB drive wouldn’t have made any difference if live data was read into the memory or file system of the workers home computer. Malware will get it. If the data was de-identified using a proven, secure method then this incident would have had no significance.”
Nicholas Banks, VP EMEA and APAC at Imation, told IT Security Guru that this incident flags up two key issues: firstly, that if data isn’t encrypted its integrity can easily and quickly be compromised, and secondly that it isn’t enough to just encrypt data, you have to be able to manage and track it.
“That means knowing who has accessed it, from what location and what devices that information resides on. This can be hard across a fragmented IT estate but it is absolutely essential. Companies need to be confident that if a device is considered to be compromised they can remotely lock it down, wipe it or initiate a self destruct sequence to remove the data in order to protect themselves and their stakeholders,” he said.