The *** Cancer International Research Group (BCIRG) office in Edmonton, Canada, was broken into, and three laptops were stolen. Two of them were brand new and unused, so the chance of a data breach is not there at all. However, one of the laptops stolen was already in use.
The IT director for BCIRG has assured the public that the chance of an information security breach are remote (no word on whether there was sensitive data in that one laptop) because “a password was connected to a hard drive,” according to a quote from edmontonsun.com.
This statement is a little confusing for a couple of reasons. One: generally, a password doesn’t mean bupkis when it comes to data protection, unless that password is used to access encrypted data; I’d imagine that an IT director would be aware of this. Which brings me to confusion point number two: was there encryption on that hard drive? In other words, was a whole disk encryption product like AlertBoot used to secure the data?
Because, generally, if you have a potential data breach scenario due to computer theft and you’ve got some form of encryption protecting that computer’s data —be it file encryption or hard drive encryption—people tend to mention it. They say, “don’t worry. The contents were encrypted. Case closed.” Just mentioning password‑protection is code for “not really protected, but doesn’t that make you feel better because it sounds like there’s protection?” (You know, like your stockbroker telling you a particular security is rated “hold”—which really means sell. And a rating of “sell” means “sell yesterday.”)
Anywho, the above case is pretty confusing, so I think that there will be either some clarification in the near future.
Also, if this had been just a PR guy relating the news, I’d probably have pounced on it. Since it’s coming straight from the mouth of a tech-savvy person, I’d being a bit more circumspect. I know some people who would automatically mutter something under their breaths about “geezers…luddites…out of touch with reality…” and other choice words and phrases, since the director at a substantial organization generally tends to be older.
However, it behooves to remember that, despite most of us having to teach our grannies about the wonderful world of the internets (that last word’s not a typo), it’s also our grannies’ friends who invented the internet. And chances are that it’s them who are IT directors at sizable companies. Inventing the internet. Not bad for a bunch of out of touch luddite geezers, eh? Hence the need for caution in this case: just because you never know….
A clarification, however, is in order, since people hearing the above statement will naturally assume that password protection, not encryption, is enough to protect data when things go wrong.