Laptop computers containing sensitive information on current and former Anheuser‑Busch employees have been stolen from the beer maker’s premises.  The beer company has certainly been making a splash in the news: first, they get bought out by InBev, a Belgian conglomerate, releasing a tsunami of waffle‑related jokes; now, this.

It is not known how many are affected since the company has not revealed such information.  UPI.com, however, states that the lost data contains Social Security numbers, addresses, marital status, and whether an employee had used a “mental health counseling service.”  Anheuser‑Busch is offering affected employees a year of free credit reporting.  Signs seem to point towards the potential of a data breach, i.e., that perhaps laptop encryption solutions like AlertBoot was not used.

There are some conflicting reports, however.  Some covering the situation write that Tim Farrell, the company’s vice president for corporate human resources, revealed in a statement that one of the laptops had used encryption to secure information about employees and family members.  Others claim one laptop was stolen, and that it was encrypted.  Others don’t mention encryption at all.  In a rush to publish anything, people are doing exactly that: publishing anything.

There are salient points in the haze of confusion, though.  The first is that these devices were not lost at the airport or left in the backseat of a car.  Nope, they were stolen from their offices.  Now, a brewer doesn’t require the security levels found at, say, a nuclear weapons design plant.  However, Anheuser‑Busch being a Fortune 500 company, I don’t think I’d be off‑base imagining they at least had security guards in the lobby and doing the rounds at night.

And yet stuff got stolen.  The fact that these computers were laptop computers is irrelevant.  If laptops weren’t available, who’s to say that desktops wouldn’t have been stolen in their stead?  In fact, I’ve felt for a while that the only way to ensure laptop computers don’t get stolen from an office is to have something even more valuable lying around the office as bait, like an impressively intricate diamond necklace.  Of course, it’s also a ridiculous way of preventing something from getting stolen.  However, the concept of having bait lying around is certainly used to prevent random burglaries of the really expensive stuff: for example, placing a jewel-encrusted golden statuette to distract the thief from the multi-million dollar Matisse hanging from the wall.

The other salient point is the credit monitoring.  Now, the fact that it’s being offered indicates to me that there is a chance of a data breach occurring (although, the absolute chance of an actual breach would be quite low.  As most security professionals point out, machines generally get wiped and re‑sold).  If all of the employees data had been encrypted, then such an offering wouldn’t be necessary.

That’s why I encourage full disk encryption over file encryption.  Files dropped into a computer where the entire hard disk is encrypted are protected automatically.  If the computer gets stolen, the contents of that computer are considered safe, even by the most cynical security consultants.  File encryption—also known as content encryption—also feature nearly iron‑clad data security; however, individual files have to tagged for protection.  It’s not as hassle‑free as full disk encryption, and it does require human intervention—usually the weakest link in the security chain.

Update (Aug 5, 2008): Anheuser-Busch released some more information over the weekend.

Related Articles:

http://www.dailypress.com/news/dp-local_busch_0729jul29,0,6332846.story

http://hamptonroads.com/2008/07/burglars-get-computer-anheuserbusch-employee-info

http://www.stltoday.com/stltoday/business/stories.nsf/business/story/60ae723cb05c6ec2862574950066ec6d?OpenDocument

http://www.upi.com/Business_News/2008/07/29/Anheuser-Bush_reports_laptop_theft/UPI-33051217361567/