The Irish Gas Board (Bord Gais) has revised their figures of customers affected in the laptop data breach from June. If you'll recall, the theft of four laptops--with one of them containing sensitive and financial information, but not protected via data encryption--have led to the loss of customer information. Initially, it was announced to have affected 75,000 customers who had recently switched electricity providers to Bord Gais. The latest figures put the number at 100,000 affected, and according to The Sunday Business Post Online, this is not disputed by Bord Gais.
The Irish Gas Board (Bord Gais) has revised their figures of customers affected in the laptop data breach from June. If you'll recall, the theft of four laptops--with one of them containing sensitive and financial information, but not protected via data encryption--have led to the loss of customer information.
Initially, it was announced to have affected 75,000 customers who had recently switched electricity providers to Bord Gais. The latest figures put the number at 100,000 affected, and according to The Sunday Business Post Online, this is not disputed by Bord Gais.
This revision in figures is not really unexpected, especially when one considers that the original announcement was made soon after the actual theft took place. It takes time to figure out the contents of a computer's hard disk, and with the capacity of today's disks, it takes longer than one would expect: making any announcements too soon more than often means having to make a correction down the line. In theory there should be no need for corrections. After all, the usual, commonsense wisdom is that a person knows what he's saved on that computer. So, in the case of Bord Gais, questioning the employee who used the laptop with the sensitive data should have sufficed: He points out which files contained sensitive data, and the IT department looks through the backups to see how many people's names were in those files.
This revision in figures is not really unexpected, especially when one considers that the original announcement was made soon after the actual theft took place. It takes time to figure out the contents of a computer's hard disk, and with the capacity of today's disks, it takes longer than one would expect: making any announcements too soon more than often means having to make a correction down the line.
In theory there should be no need for corrections. After all, the usual, commonsense wisdom is that a person knows what he's saved on that computer. So, in the case of Bord Gais, questioning the employee who used the laptop with the sensitive data should have sufficed: He points out which files contained sensitive data, and the IT department looks through the backups to see how many people's names were in those files.
As case after case shows, relying on people to do the right thing when it comes to data security is ineffective. Not because people don't try (although, there are a lot of people out there who don't try), but because people are fallible. They may fail to follow rules; or fail to remember to delete important, temporary files; or even fail to remember that they were working on a sensitive file. When one works with sensitive files all day long, they all start to look...well, like common, everyday files because everything is relative. This is not unlike when one million dollars looks like chump change to people who've for years been involved in deciding how to budget ten billion dollars. Which is why data security policies, while important, ultimately come short when it comes to actually protecting data: people become too comfortable once the initial worries wear off. Plus, chances are a security incident won't take place. Then the stuff hits the fan (after all, accidents don't make an announcement before they happen), and people realize, hey, I wasn't following these policies the company has spelled out for me. If Bord Gais had actually encrypted all of their laptops (all indications seem to point that the one laptop not encrypted was an oversight) with information security software like AlertBoot hard disk encryption or if file encryption had been used to protect only the important files, their data would still be protected even if people were lax when it comes to data security. The good news is that, so far, there haven't been any customers calling Bord Gais that they've been victims of fraud. This is not a guarantee that it won't happen in the future.
As case after case shows, relying on people to do the right thing when it comes to data security is ineffective. Not because people don't try (although, there are a lot of people out there who don't try), but because people are fallible.
They may fail to follow rules; or fail to remember to delete important, temporary files; or even fail to remember that they were working on a sensitive file. When one works with sensitive files all day long, they all start to look...well, like common, everyday files because everything is relative. This is not unlike when one million dollars looks like chump change to people who've for years been involved in deciding how to budget ten billion dollars.
Which is why data security policies, while important, ultimately come short when it comes to actually protecting data: people become too comfortable once the initial worries wear off. Plus, chances are a security incident won't take place. Then the stuff hits the fan (after all, accidents don't make an announcement before they happen), and people realize, hey, I wasn't following these policies the company has spelled out for me.
If Bord Gais had actually encrypted all of their laptops (all indications seem to point that the one laptop not encrypted was an oversight) with information security software like AlertBoot hard disk encryption or if file encryption had been used to protect only the important files, their data would still be protected even if people were lax when it comes to data security.
The good news is that, so far, there haven't been any customers calling Bord Gais that they've been victims of fraud. This is not a guarantee that it won't happen in the future.
Related Articles and Sites:http://www.sbpost.ie/post/pages/p/story.aspx-qqqt=IRELAND-qqqm=news-qqqid=42906-qqqx=1.asp