Friday, February 29, 2008

IBTS and the Missing Laptop - Part I

Yipee, it's like winning the lottery, I just got a letter today from the Irish Blood Transfusion Service (IBTS) telling me some great news, my donor records were one of the 171,324 records that were on a laptop that was stolen in New York on 7th February.

I have been dreading this since the news broke on the Irish news over a week ago. In summary, the IBTS 'loaned' this data to the New York Blood Centre (NYBC) because they need a new data extraction tool that it seems no one in Ireland is capable of developing. An employee of the NYBC had a copy of the data on his laptop and lost the laptop when he was mugged outside of his home. I find it very disturbing that anyone was allowed to bring this type of data outside of a secure centre.

According to the letter I recieved the data was "encrypted with a 256-bit encryption. Those records were transfered to a laptop and re-encrypted with a 256-bit encryption", what does this mean? Why did it have to be re-encrypted, does this mean at some point the data was unencrypted? If it was, and this is the same laptop that was stolen, that is bad news.

But it's OK because according to the CEO of the IBTS Andrew Kelly the chances of decrypting this information is "extremely remote", and, "To our knowledge there has never been a report of a successful attack against a 256-bit encryption key." He should read the 2005 paper "Cache Attacks and Countermeasures: the Case of AES" by Dag Arne Osvik, Adi Shamir and Eran Tromer who in one attack managed to obtain an entire 256-bit AES key after 65 milliseconds.

The Data Protection Commissioner undertook an investigation of the entire event and according to their conclusions the IBTS seems to have done everything correctly, well that's alright so.

No comments: