Small financial services firm learns about security the hard (wrong) way
|
Date Reported:
9/16/10
Organization:
Advisors Unlimited
Contractor/Consultant/Branch:
None
Location:
Hagatna, Guam
Victims:
Clients
Number Affected:
As many as 1,000
Types of Data:
Personal information including "names, dates of birth, addresses, Social Security numbers, driver's license numbers and bank account information and credit card numbers"
Breach Description:
The Hagatna office of Advisors Unlimited was burglarized and among the items taken was an external hard drive containing financial information and personal information belonging to their clients.
Reference URL:
KUAM News
Pacific Daily News
Report Credit:
Nick Delgado, KUAM News
Response:
From the online sources cited above:
Principals at the money management firm Advisors Unlimited are asking its clients to help the company safeguard their assets after its Hagåtña office was burglarized last week.
Frank Salas, president and co-owner of Advisors Unlimited, said an external hard drive containing all of the company's information on its clients was stolen when the business was burglarized on Sept. 11.
[Evan] I will assume that this external hard drive was not encrypted. If my assumption is correct, then we can further assume that the information has been (or will likely be) disclosed.
He said the client information includes names, dates of birth, addresses, Social Security numbers, driver's license numbers and bank account information and credit card numbers -- in some cases.
[Evan] Absolutely not a good idea to store this type of information on an external hard drive without encryption and sound encryption key management. This is especially true in environments that are not adequately secure physically (as is the case here).
"It was an indirect entry," Salas said. "Nobody has been affected -- to our knowledge. We are taking numerous proactive steps in reaching out to our clients."
[Evan] Does it matter if it was an "indirect entry"? It was an unauthorized entry, and an unauthorized entry is an unauthorized entry.
Salas said the Guam Police Department and the Federal Bureau of Investigation have been notified and letters are being sent to clients to warn them of the recent incident and steps they should take to better protect their assets.
Advisors Unlimited has a little under $25 million in assets from its 1,000 clients. Between 600 and 700 of those people are direct clients with the remainder being indirect clients, Salas said.
[Evan] I'm not clear about the difference between a direct and indirect.
GPD spokesman Officer A.J. Balajadia said the burglary was reported to the police on Sept. 12.
He added that the burglar or burglars gained access to the office through an adjacent business by climbing over a wall that separates the two businesses.
[Evan] When we (FRSecure) review physical security risks for our clients, one of the many things we assess is access from adjacent/shared facilities. I am guessing that Advisors Unlimited has never conducted a physical security risk assessment, let alone assessed the risks resulting from adjacent/shared facilities.
He also said the case is suspended pending further development, and a copy of the report will be sent to the department's Criminal Investigation Division and the Property Crimes Unit.
Flo Martinez, vice president and co-owner of the business, said some of the clients' accounts are in off-island financial institutions and alerts have been sent to those institutions.
She added that clients should ensure that accounts that are not with Advisors Unlimited are checked for any unusual transactions because Social Security numbers were taken.
"We are now going to have a security alarm system in place," Salas said.
[Evan] Gee. Good idea!
He added that the company never had one because there weren't any back entrances to the building and the only entrance faces the road in front of the Julale Shopping Center. "We never thought this would happen."
[Evan] Lack of awareness?
Teresa Kasperbauer Sakazaki, sales consultant for G4S Security Systems Guam, said over the past six months, several buildings have been broken into in a similar manner.
Sakazaki said illuminating the outside of a property, leaving lights on in different rooms on various days, removing shrubs that are close to buildings, and installing an intruder alarm system are some ways of protecting an establishment or home.
[Evan] These are some good tips for starters. Every business that uses sensitive information should conduct a thorough physical security risk assessment. The failure to do so can result in catastrophe.
Commentary:
This was a "perfect storm" in a way. Poor physical security, lack of encryption, and a general lack of awareness led to this breach. All of these points are very important in protection. Here is a good tip:
ENCRYPT SENSITIVE DATA AT REST, ESPECIALLY IF THE MEDIA ON WHICH IT IS STORED IS NOT PHYSICALLY SECURE (beyond a locked door).
Past Breaches:
Unknown
Posted by Evan Francen at 9/17/2010 11:34 AM 
Categories: Stolen Device, Stolen Media, Advisors Unlimited
Categories: Stolen Device, Stolen Media, Advisors Unlimited
Posts Atom 1.0
Comments