Databreaches.net has kept up with the Board Gáis laptop theft fiasco from June, and links to a report revealing that the person "responsible" for the breach "had specific responsibility for ensuring the protection of data." If you'll recall, one of the four computers did not use laptop encryption software like AlertBoot endpoint security software.
"Bord Gáis data security expert had laptop stolen" is the title of the article. Except, there's no real indication that the employee in question was actually a data security expert. The article by the irishtimes.com goes on to note that the staff member was responsible for data protection. And while reason dictates that one should have a data security expert in charge of data protection...well, let's just say that sometimes one can become an "expert" on an ad hoc basis (e.g., Jim should become the guy in charge of data security because he knows how to use Norton. Yeah, I know; at that rate, I could be the lead rocket scientist at our company because I once created a Mentos-powered bottle rocket.)
"Bord Gáis data security expert had laptop stolen" is the title of the article. Except, there's no real indication that the employee in question was actually a data security expert. The article by the irishtimes.com goes on to note that the staff member was responsible for data protection.
And while reason dictates that one should have a data security expert in charge of data protection...well, let's just say that sometimes one can become an "expert" on an ad hoc basis (e.g., Jim should become the guy in charge of data security because he knows how to use Norton. Yeah, I know; at that rate, I could be the lead rocket scientist at our company because I once created a Mentos-powered bottle rocket.)
The article also notes that fourteen people complained about the theft of their data (an extremely low number, considering nearly 100,000 people's records were involved). It is followed by "although no individual was found to have suffered a financial loss as a result," which leads me to believe that the fourteen must have file complaints regarding ID fraud. (For example, if credit card information was used to rack up charges, the actual owners of those cards can contest the charges, and ultimately not experience any financial impact.) However, if this is the correct interpretation, it means that the thief or thieves that stole the four laptops did take a peek at the contents in the computers. I may be off, but I seem to remember someone mentioning that in such cases, the thieves usually are interested in a quick turnaround. And I would agree--when it came to the three encrypted laptops, but not so much for the one unprotected one.
The article also notes that fourteen people complained about the theft of their data (an extremely low number, considering nearly 100,000 people's records were involved). It is followed by "although no individual was found to have suffered a financial loss as a result," which leads me to believe that the fourteen must have file complaints regarding ID fraud.
(For example, if credit card information was used to rack up charges, the actual owners of those cards can contest the charges, and ultimately not experience any financial impact.)
However, if this is the correct interpretation, it means that the thief or thieves that stole the four laptops did take a peek at the contents in the computers. I may be off, but I seem to remember someone mentioning that in such cases, the thieves usually are interested in a quick turnaround. And I would agree--when it came to the three encrypted laptops, but not so much for the one unprotected one.
As ironic as the irishtimes.com's title may sound, let's not forget that Board Gáis was in the process of encrypting all of their computers, and this particular burglary was just ill-timed for everyone concerned but for the thieves. While I've pointed out that there's no indication that this so-called security expert was actually one, experts under the same situation would just shrug their shoulders and note that this is what happens when you don't have information security set up correctly. The idea scenario is to encrypt laptops and other digital devices before putting one byte of sensitive information on it. As it were, the computers were already in use, so there was a real risk of something going awry. Of course, this does not quite explain why just one computer out of four was left unencrypted. If one uses a centrally managed encryption solution, it takes about as much time to encrypt three laptops as it takes to protect four of them...
As ironic as the irishtimes.com's title may sound, let's not forget that Board Gáis was in the process of encrypting all of their computers, and this particular burglary was just ill-timed for everyone concerned but for the thieves.
While I've pointed out that there's no indication that this so-called security expert was actually one, experts under the same situation would just shrug their shoulders and note that this is what happens when you don't have information security set up correctly.
The idea scenario is to encrypt laptops and other digital devices before putting one byte of sensitive information on it. As it were, the computers were already in use, so there was a real risk of something going awry.
Of course, this does not quite explain why just one computer out of four was left unencrypted. If one uses a centrally managed encryption solution, it takes about as much time to encrypt three laptops as it takes to protect four of them...
Related Articles and Sites:http://www.databreaches.net/?p=8095http://www.irishtimes.com/newspaper/ireland/2009/1105/1224258100884.html