Several sites are reporting that a laptop computer pertaining to the Office of the Comptroller and Auditor General of Ireland has been reported missing. Depending on the source, the computer—which did not feature laptop encryption like AlertBoot and was lost at a bus stop—contained information on government staff or “commercially sensitive financial details.” RTE.ie lists “company information, purchase orders, and value of invoices” among the latter.
Supposedly this is the sixteenth laptop to go missing since 1999 from the C&AG, which means two laptops go missing each year, on average. From the auditor’s office. By definition, these are the guys who have to hold sensitive information because, well, if they don’t know what to look for, how are they going to do their jobs? That fact alone would mean that extreme care should have been employed in securing the data on any laptop computers used by auditors at this office.
Most people following data security breaches are aware that Ireland’s neighbor has had more than its fair share of information security blunders, which don’t show any signs of curtailing. Could this be spreading to the smaller island?
I felt maybe it would be. After all, if one’s consistently been having information security problems for eight years and still allows unencrypted laptops to go around…well, it means that the appropriate mindset is not there. However, a quick scan of the press release by the C&AG shows that the latest incident is an unfortunate incident in an ongoing effort to keep digital data secure.
For example, an encrypted audit management system was rolled out in 2007. Also, portable media devices like memory sticks and CDs were collected office‑wide earlier this year, and are pending destruction. Apparently, the office has handed out encrypted USB memory sticks to all staff for any necessary data transfers; I’m unable to tell whether this was in response to, or enacted prior to, the latest data breach incident.
Where they have failed, I guess, is using encryption on all computers. Although the office has had their staff declare their computers clean of client data (with the exception of what is encrypted), the truth is there is no real way of knowing that this is true. I’m not accusing the staff of lying or being lazy or cutting corners. It’s just that sometimes one doesn’t know what’s on his computer. And who has time to actively search through their computer to see if sensitive data can be located? Then there’s the chance that even if one diligently scans the computer, one might have missed something.
That’s why hard drive encryption is often times recommended over file encryption. Some may complain that drive encryption hits a computer’s resources much more heavily, but the truth is that for ninety percent of people out there, it won’t be an issue.
Related Links:
http://audgen.gov.ie/viewdoc.asp?DocID=1106
http://ukpress.google.com/article/ALeqM5jT-AJ2KI8VaSDGN0KFYIOqfnttfw
http://www.rte.ie/business/2008/0801/cag.html