BreachExchange mailing list archives
Re: NY laptop theft breaches no data protection rules
From: "Mike Simon" <msimon () creationlogic com>
Date: Wed, 27 Feb 2008 09:23:35 -0800
Chris is right of course. As a trivial example, it would be simple to reverse the codes for blood type from this sample. Blood type for this population is a solid statistical model and this is enough samples that one could derive which column is blood types and what the codes are by doing simple statistical analysis of the given data. Given that and the sample size, it seems likely that other disease codes could be reversed in exactly the same way, especially given the specificity of the population base. This isn't advanced statistical attacks on a cipher, just high school math. -----Original Message----- From: Chris Walsh [mailto:chris () cwalsh org] Sent: Wednesday, February 27, 2008 8:00 AM To: lyger Cc: dataloss () attrition org Subject: Re: [Dataloss] NY laptop theft breaches no data protection rules I am interpreting "encryption", in light of what is said below, to mean "use of consistent and obscure codes". Basically, something akin to a "q code". If I understand this properly, a decoded record might look like this: Chris Walsh 123 Main St Dublin AB- HIV+ Whereas the "encrypted" variant is: Chris Walsh 123 Main St Dublin 785 432 Since the ITBS never told NY that "785" is the code for "AB-" and "432" means "HIV+", adequate protection of this sensitive information was in place. I won't argue with that conclusion, although it would be easy to. I will say that calling a simple code such as this "encryption"was unfortunate, and tends to perpetuate misunderstandings. Lastly, "It is not possible to isolate individual fields in the log files, so it would have been difficult, if not impossible, to have anonymised the files prior to their supply to the NYBC" means they could not parse their own logs. That's interesting. On Wed, Feb 27, 2008 at 02:52:03PM +0000, lyger wrote:
The loss of a laptop containing the files of up to 175,000 Irish blood
donors, which was stolen earlier this month in New York, does not constitute a breach of the Data Protection Acts and the encryption on
the
laptop is sufficient to protect the files, Ireland.s Data Protection Commissioner said today.
[snip]
The log files also contain numeric codes for other kinds of information such as attendance at the IBTS or blood-test results
performed
by the IBTS. "Importantly, the key for these codes was not on the stolen laptop or
on
the disks given to the NYBC for the performance of its functions," the
Commission said. "It is not possible to isolate individual fields in the log files, so
it
would have been difficult, if not impossible, to have anonymised the
files
prior to their supply to the NYBC. Accordingly, the amount of personal
data supplied to the NYBC for the performance of the contract entered
into
is not considered excessive in the circumstances," the Commission
said. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- NY laptop theft breaches no data protection rules lyger (Feb 27)
- Re: NY laptop theft breaches no data protection rules Chris Walsh (Feb 27)
- Re: NY laptop theft breaches no data protection rules Mike Simon (Feb 27)
- Re: NY laptop theft breaches no data protection rules Chris Walsh (Feb 27)