Saturday, July 30, 2011

Cord Blood Registry suffers breach

Originally published 3/17/11 on

Last month reported that Cord Blood Registry (CBR), a company that stores umbilical cord for future use, suffered a data breach in December of 2010:

A CBR computer and data backup tapes were stolen from an employee's locked automobile. The stolen tapes contained customer names, Social Security numbers, driver's licenses and/or credit card numbers. This is the "mother load" of personal identifying information for identity thieves.

This is a pretty serious breach, and a good (sic) example of how not to handle any type of data, but especially sensitive customer data. The thief broke into the car through the window. Never leave your computer in the passenger compartment where it can be seen. Even if you've encrypted the data, which CBR didn't do. It's even more tempting to some thieves than a purse.

Because unencrypted customer data was kept on the seat of a car 300,000 people are at risk for identity theft. If this was the first time this had happened it might be understandable. But there have been several widely publicized breaches involving stolen or lost laptops, including a breach more than 100 times the size of this one at the Department of Veteran Affairs. There is no excuse for a business allowing unencrypted data anywhere, but especially not on laptops or portable media.