No encryption on Defence's lost and found memory stick

By Liz Tay on Mar 23, 2011 8:56 AM
Filed under Security

Loss had minimal security impact, Defence says.

A misplaced thumb drive that was returned to the Department of Defence last week was a commercial product with no encryption enabled.

The department’s investigation revealed that the drive belonged to a Defence contractor, and had 61.3 megabytes of data that included Defence material.

No encryption was enabled on the memory stick, which was “a commercial product purchased by the owner”, a spokesman told iTnews last night.

Although the drive was initially reported to have 20 classified documents, the spokesman said that most of information was unclassified.

“The only material that was classified held the lowest form of security classification,” he said. “Our assessment is that the loss of this material has a minimal security impact.”

Defence did not comment on its relationship with the contractor, beyond that the contractor had “cooperated fully” with the department’s investigation.

No encryption on Defence's lost and found memory stick

4 comments in this discussion

"It's very easy and costs nothing to encrypt a thumb drive. If they're using Windows 7 then there's BitLocker To Go, if not there's always TrueCrypt. There's really no excuse to have any portable ..."

By ejobrien

Tags

security, defence, data, loss, breach, government

Vic Govt to set up privacy and data security office

Defence to kit out 'Building 195' data centre

iiNet, Optus reject Telstra's revised NBN infosec plan

Ludlam seeks judicial oversight of telco surveillance

Breaking Stories

Bendigo Bank readies mobile payments scheme

NBN Co could miss revised June fibre targets

Tablets conquer Australia-NZ market: analysts

GE partners with AWS for big data project

Wall Street to simulate cyber attack

Readers of this article also read...

Comments: 4

nasz Mar 23, 2011 10:50 AM	They got lucky, this time!!!! Surely we should be more concerned that there was no encryption rather than minimal security impact!
BaysNet Mar 23, 2011 12:03 PM	No Excuses contractors and personal USB drives are all things that should and can be controlled. As a PCI-DSS QSA we all have to have encryption on all our laptops so there is no danger of us losing Credit card data of customers being audited. Check Point's endpoint security software encrypts the hard drive and forces encryption on any USb storage device to stop these data leaks and don't defence use this already themselves? Why not manadate that as a standard for contractors like the PCI Council do?
M1-A2 Mar 24, 2011 8:50 AM	Inappropraitely secured for the data of the Classification involved if there was more than U data on the stick and no compensating controls. OT: @BaysNet Errrrr, as a PCI-DSS QSA, what the hell are you doing if there is a risk of Customer's credit card data ending up on your laptop in the first place??? Huge no no! There are already security standards in Government, like the PSM and ISM (nee ASCI33) and I can't believe any moden day security professional (even a lowly QSA) wouldn't know them. You been doing this long? Besides, with the shear piracy in what QSA's charge for their rubber stamp, its no wonder you guys can afford full endpoint encyption. That and the ease you have in enforcing policies and controls since most of you are pretty small shops and of course you are motivated to be compliant to PCI-DSS since your over inflated pay packet is totally dependant on gaining revenue from a compliance model that is far from perfect. Bit like a tax accountant really! You should have taken the red pill!
ejobrien Mar 24, 2011 1:45 PM	It's very easy and costs nothing to encrypt a thumb drive. If they're using Windows 7 then there's BitLocker To Go, if not there's always TrueCrypt. There's really no excuse to have any portable device un-encrypted. If it can be lifted, it should be encrypted...