Unlike highly regulated verticals, such as FinServ, government and healthcare, non-profit organizations are often not required to meet any kind of data protection standard. So even though the Fraternal Order of Police (FOP) website apparently harbored sensitive data such as police officer contracts and officer-to-officer correspondence, it was likely never required to ensure strong encryption to protect its sensitive data nor strong authentication to secure member access.
While the FOP claimed it fell victim to a sophisticated attack, the security researcher who received the leaked data from the hacker of the site claimed a common software vulnerability was used to breach it—a vulnerability which could have been easily patched. The security researcher, Thomas White, also claimed that “a long list of free tools” would have easily found the problem and advised how to remediate it. And indeed a cursory Google search uncovers a long list of free website vulnerability scanners.
Reportedly, the data seized by the hacker includes members’ names, addresses, DOBs and phone numbers, as well as police contracts and forum postings. According to one source, an additional trove of 18Tb is in the hands of White, who has not released it to date.
In a nutshell, a “Secure the Breach” data protection strategy means that an organization accepts that it may be breached at some point, and prepares for that day. Being prepared means encrypting data with hardware-based encryption (both data at rest and in motion), managing your encryption keys so they don’t get lost or misplaced and controlling access to data using strong multi-factor authentication.
Less than a year and a half ago, the FBI’s Criminal Justice Information System Security Policy (CJIS-SP) went into effect. The mandate includes a long list of controls, including those outlined in Gemalto’s Secure the Breach strategy, such as ‘Advanced Authentication’ when accessing the criminal justice information system remotely (from outside a police department). Although the FOP is a fraternal police union and its site is not subject to CJIS, it may have greatly benefited from the controls outlined by the federal regulation.
To learn more about how Gemalto’s suite of Identity and Data Protection solutions can help you comply with CJIS-SP, visit our CJIS-SP compliance page.