The toughest financial regulator in the US – the NASD – has compromised private data following a theft from one of its offices. The regulator had tried to cover up the leak by making no mention of the incident. According to experts at InfoWatch, some of the more recent data breaches have affected exactly those organizations that are, by definition, meant to have exemplary safeguards against leaks. Such incidents will continue to occur until federal, regulatory and other authoritative organizations implement effective systems to protect against leaks.
The NASD, formerly known as the National Association of Securities Dealers, has announced the theft of 10 laptops from one of its offices. The theft took place on Feb. 25 of this year, but the NASD kept the incident quiet for over four months. The regulator only went public after a journalist confronted the NASD with a police report at the end of June.
On June 30 an NASD representative stated that there was no private data on the stolen laptops and the regulator decided not to publicize the incident or to send out notification letters. However, the journalist managed to find a person who received a letter from the NASD reporting that his Social Security number, among other confidential records, was on one of the laptops stolen from the regulator’s office. The journalist is convinced that the letter refers to the same incident that the NASD tried to keep quiet. The letter also states that the laptops were "password protected", and that gaining access "would require an unauthorized user to reformat the hard drive, or use special software to bypass the computers operating system."
Armed with this information, the journalist once again approached the NASD for further comments, but the regulator was less forthcoming. At the same time, the use of passwords as a security measure is highly questionable. According to experts at InfoWatch, a professional would need around 10-15 minutes to negotiate such a fragile protective measure and gain access to any confidential information that was unencrypted. Therefore, it can be said with a certain degree of probability that the NASD has suffered a data breach, though on what scale remains unclear.
The NASD was founded in 1939 following a decision by Congress. The aim of the regulator is to ensure compliance with the rules of trading on the so-called OTC market, securities markets which are not listed on ordinary stock exchanges or subject to their rules (affecting profits, the number of shareholders and other issuer characteristics). The NASD is viewed as the toughest financial regulator in the US, which makes the organization’s lax approach towards safeguarding private data and its attempt to keep the latest incident from becoming public knowledge all the more surprising.
“It is rather interesting that this incident has been made public at the current time. Last month the US government showed that it was incapable of protecting the nation’s private data after the Department of Veterans Affairs leaked details on nearly 30 million people. Last week a breach was reported at another regulator, the Federal Trade Commission, as well as an incident at Equifax which itself provides a service safeguarding against identity theft. It appears that leaks have started emanating from those organizations which are meant to have exemplary safeguards against data breaches,” says Denis Zenkin, marketing director at InfoWatch.
Source: eMediaWire