archives  If you want an RSS feed try this

Saturday, November 18, 2006

Nationwide laptop stolen : customer details at risk?

• US Department Of Veterans Affairs
• Department of Transport: Office of the Inspector General
• Lothian and Borders Police

1. They can pretend it never happened or never will happen.
2. If it does happen they can ignore it and it may go away.
3. If it does happen they can ignore it, the thief will re-format the hard drive and it will end up in a car boot sale somewhere.
4. There's no sensitive data on the laptop so it doesn’t matter.
5. The O/S password will prevent all but the most determined thief.

Pretend it won’t happen

Well firstly laptop theft has happened and it will happen again, and it seems to be getting more likely that it will happen. We already know of individuals who have been specifically targeted for their laptop and there seems to be a growing trend for opportunistic burglars too. They'll take the laptop and the contents of the filing cabinet in the study in preference to the TV/DVD and HiFi from the living room.

Pretend it never happened

The pretend it never happened or doesn’t matter approach seems to be a common trend amongst the recent spate of data thefts involving laptops and PCs. It's not surprising as it is one we have heard repeatedly over many years; we call it the Ostrich Syndrome. To illustrate this consider the following extracts taken from web sites of several of the organisations involved.

US Department Of Veterans Affairs "Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents. Again, we want to reassure you we have no evidence that your protected data has been misused."

Department of Transport: Office of the Inspector General "OIG does not have reason to believe that the perpetrator or perpetrators targeted the laptop because of any knowledge of the data contents,"

It seems that this was the Nationwide’s approach until the news got out earlier this week and it was made to face up to reality.

Even after the Nationwide was forced to admit something was amiss they still refuse to come completely clean. On the Today Program on BBC Radio 4 this morning the Chief executive of the Nationwide Building Society, Philip Williamson, refused to reveal what was on the laptops or what ‘security protection’ was in place if any. This presumably was done on the belief that obscurity provides some form of defence. Philip it doesn’t and that’s something we knew back in the ancient times, since then we have given up using stenography as a means of hiding anything.

It’ll just end up in a car boot sale

As the Lothian and Boarder’s Police found out stolen laptops often do end up in car boot sales. However, they are also often not reformatted and still contain the sensitive data they did when they went missing. In this particular case this was an old laptop and the Police had made arrangements to have such devices disposed of securely, a process which obviously failed. Companies often omit even to take similar precautions when laptops or other hard disks need disposal. The fact is if the data has been encrypted from the outset disposal ceases to be a security problem more one of ensuring that the company complies with the new stringent WEEE regulations.

There's no sensitive data on the laptop

Often IT managers seeking to reduce the cost of installing laptop encryption will suggest that only some of them are fitted with the encryption suggesting that the users are not allowed to save sensitive data or that they use some for of thin client and no data at all is saved to the local hard disk. This is another fallacious argument, the Nationwide’s stolen laptop was presumably not supposed to be left unattended or even have the alleged data on it, but people will do things that they are not supposed to do and that means they will save data locally. In addition the applications we assume will prevent data being saved to the local drive will always leave a footprint that will exacerbate the risk. Don’t take chances encrypt all and everything.

The O/S password

There’s a belief that the average thief doesn’t know the value of the data on a laptop and that they’ll not spend any time trying to get to the data. Thus the standard BIOS or Windows password will be enough to deter them from doing anything but format the drive and re-install windows before taking it to the nearest car boot sale.

Unfortunately this is so far from the truth it shows a negligent lack of understanding. The bad guys actually fall into three categories, the stupid; the opportunist and the determined.

The stupid don’t do anything but sell the laptop to the nearest person who’ll give them money. They wouldn’t have the time, energy or the know-how to ‘..format and re-install..’ they need a fix and just want cash.

The opportunist is likely to be the nearest person the stupid one sold the laptop to and he, the opportunist, realizing what the data is likely to be worth will sell the laptop for a neat easy profit to the determined.

The determined or his friends will have all the know-how and the time to crack all but the best encryption and just as importantly make use of the data or have the contacts to be able to sell on to those who do.

What now?

For Philip what ever he does it’s likely to be too late and too little. For the rest of you encrypt all of your laptops, and do it NOW! Just build it into the cost of the device, fifty five quid per’ seems like a small price to pay when faced with eleven million letters to write and the subsequent legal fees and free credit monitoring services you’ll have to give away to all your customers when the next pc goes AWOL.

The FSA have fined Nationwide £980,000 for failing to maintain an adequate level of security.

Robert Campbell

Related Links

The Nationwide Building Soc. Security raised over laptop theft Millions at risk in laptop theft BBC Money Box Utimaco SafeGuard Easy: Laptop Security and hard disk encryption