Do you remember the gas station scene in Tommy Boy? Richard went into the convenience store to ask for directions to Davenport while Tommy tried to fill up the car. The car was too far away for the gas hose to reach, and so Tommy put the car in reverse. Unfortunately, he left his door open as he drove backward, and the door bent wide open. He forced the door closed while Richard was admonished by the gas station attendant to “get a new map.” When Richard returned to the car, he opened the door and it fell off. Tommy, pretending he knew nothing about it, asked Richard, “What did you do?”, as if it was Richard’s fault.
This week, Advocate Medical Group is doing a rather convincing Tommy Callahan impression. Names and social security numbers for four million customers are at risk because computers were stolen from one of the company’s administrative offices. This wasn’t a cyber intrusion. No firewalls were breached, no unpatched vulnerabilities in the operating systems were compromised. This was good old-fashioned pilfering of goods, the kind of activity done best by stealthy dudes in ski masks and trench coats.
Advocate’s defense? Not to worry, of course. No medical data were stolen, they say. Besides, the computers were password-protected, so the thieves can’t access the data because they don’t have the password to log in.
Puh-lease! That door that was bent the wrong way Advocate just forced closed. Just don’t try opening it, customers, or it will fall off.
Requiring a password to log into a PC will not deter people who are determined to access the data on that PC. All one has to do is take the hard drive out of the password-protected machine and put it into some other machine as a secondary drive. On that second machine, the attacker can log in and then access the secondary drive without the original password. Since the secondary drive is not the one the machine booted from, no password will be required to access its files. Those four million records will be the thieves’ in no time.
In fact, you don’t even need a second PC. Using what is called a “live CD”, an attacker can boot an operating system that is not on the system’s hard drive but instead is stored on the CD. The attacker will log into the CD-based operating system. Once in, he can then mount the original primary drive for the machine and grab all the files that are there.
What could Advocate have done to prevent this? Obviously, they could have better secured its administrative offices so that unauthorized people wouldn’t have access to the machines they stole. Short of placing armed guards at the entrance, though, they could have done something far easier and less expensive. They could have taken the very easy step of encrypting the data on these computers. An earlier post described a very easy tool called TrueCrypt which will encrypt whatever data you add to it in a practically impenetrable manner. They didn’t do this, of course. If they had, it is very unlikely the thieves would be able to grab the data stored on these machines, and four million customers could sleep better tonight.
This was a completely preventable incident that is made even worse by Advocate’s misleading attempts to minimize the seriousness for what happened. Advocate, what did you do?