Go back ten years, and there wasn’t a month that went by without reports of a USB memory stick containing customer PII being lost or stolen. Since that time, improved security awareness, and technology, have reduced such incidents. However, recent reports of a Japanese contractor who lost USB memory sticks containing the sensitive data of almost half a million people are a reminder that the risks are still very real and may still be happening more often than we think.
In June, the city of Amagasaki in western Japan hired the company BIPROGY to analyze and oversee COVID-19 tax relief for its citizens. As originally reported by NHK and other sources, on June 23, an employee of that company working on-site at the city offices decided to copy data without permission and continue working on it in the company office in Osaka. This data included very sensitive information – names, addresses, birth dates, details of residence tax payments, and the bank account numbers of those receiving benefits.
The BIPROGY employee copied the personal information of 465,177 residents of Amagasaki onto two USB memory sticks and took them with him. However, instead of going directly to Osaka the same night, he went to a local bar in Amagasaki with colleagues and ….well, the rest is something of a hazy memory. He woke the next morning without the bag that contained the two USB sticks.
The incident was reported to Amagasaki police the following morning, and another day later, the bag was found outside an apartment building. But not before the city office was flooded with 30,000 angry calls from citizens.
The police reported that there seemed to be no foul play involved, and the two sticks were not accessed. There were also no reports of data leakage. However, a detailed investigation is still ongoing.
The cost of USB data loss
The bad news is that the Amagasaki case is one of many such incidents. For example, in October 2017, a USB stick was found on the street in London containing maps, videos, and documents, including the details of measures used to protect the Queen. The source was traced to Heathrow Airport. Less fortunately than in the case of Amagasaki, this data was left completely unencrypted, even the documents declared confidential. Heathrow was fined $147,000 by the Information Commissioner’s Office for the breach.
A specialist study on the subject of data loss via missing/stolen USB drives was conducted several years ago by Ponemon Institute. This study found that companies lose an average of $2.5 million from the loss of memory sticks. Given this number is now a decade old, long before the risk of regulatory fines (GDPR, CCPA, etc.), we can extrapolate that losses from USB sticks and unauthorized transfer of sensitive data through other channels are costing businesses worldwide millions today. Especially due to the fact that, according to a 2018 report by Netwrix, more than half of data loss accidents happen not due to black hat hacker attacks but due to mistakes made by regular employees.
More than just USB sticks, and more than just data loss
Unprotected USB flash drive usage is a reason for not just data loss but also major black hat hacker attacks. For example, one of the biggest breaches in U.S. military history in 2008 happened due to an infected USB drive. Strong DLP protection for USB drives that prevents data transfer both from the local system as well as to the local system is even more important nowadays due to common USB drop attacks where cybercriminals send USB drives to businesses, which upon connection to an unprotected system install ransomware.
The importance of a data loss prevention solution
The good news, in this case, was that the files copied onto the USB sticks were encrypted and password-protected. However, the whole incident could have been avoided with a proper data loss prevention solution.
Imagine that the employee was so intent on copying PII data to work on it elsewhere that he tried all other options, including sending the data via email or as an upload to a personal cloud storage app.
Endpoint Protector would have been able to not only control the use of USB storage devices (or at least enforce encryption of any files being stored on a removable device) but also put the measures in place to restrict any exfiltration of PII, e.g., via email, network shares or cloud uploads.
The growing importance of data and the continuously increasing cybercriminal activity levels make DLP and device control a necessity in today’s world – especially if you’re handling PII, PHI, or payment card data. Your data loss case might not make it big in the media, but it will nevertheless have the potential to seriously hurt your business, if not financially, then reputationally.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.