June 30, 2009, 10:07 AM — No company wants their confidential, competitive data to wind up for sale at a market in Ghana. Northrop Grumman, a U.S. government contractor with clients including the Defense Intelligence Agency and the Transportation Security Agency, especially wouldn’t want the unencrypted details of its sensitive customer contracts to become merchandise at an open-air bazaar.
But that’s exactly what happened.
The sensitive data was stored on a drive that had belonged to a Northrop Grumman employee and had been installed in a PC that the contractor paid a third-party vendor to dispose of. Northrop Grumman believes the drive may have been stolen from the disposal vendor.
"Despite sophisticated safeguards, no company can inoculate itself completely against crime," the contractor said in a statement. True, but shouldn’t Northrop Grumman, which calls itself a `leading global security company,’ at least encrypt its drives?
In this world of data breaches, security experts extol the values of encrypting data, both “in motion” (meaning sent via e-mail or transferred to a removable device) and “at rest” (stored on a pc, server, or storage device.) I wonder what’s more damaging to Northrop Grumman, the fact that its confidential data could be bought on the open market, or the revelation that the company apparently doesn’t follow basic security practices with its own equipment?
Encryption isn’t 100 percent secure, but then again nothing is. Encrypting sensitive data seems to be a no-brainer step towards becoming as secure as possible.
Do you tweet? Follow me on Twitter here.
