A computer was stolen from the Australian Institute of Company Directors (AICD) during a power outage. The desktop computer, used for testing purposes, held personal data for 66,000 people. The computer was not protected with disk encryption like AlertBoot, although some other means of security was in place.
There are so many things wrong with this story that I don't know where to begin. First off, there is the fact that a computer that held the information of 66,000 people was not secured with encryption software, including the 28,000 members of the AICD. As a result, names, addresses, phone numbers, dates of birth, and member numbers were breached. Second, it turns out that the stolen desktop computer only held that data because the organization was testing a new CRM upgrade, and was using the computer as a test machine. They used real data for that testing. That's a huge blunder, even more basic than not using disk encryption programs. Indeed, if the testers had done things right, encryption wouldn't have been necessary, since fake data would be lost (in hindsight, of course). Third, the information was not deleted after being used, obviously. There is no mention of when the testing occurred, but the fact that it was not secured and was real data makes it inexcusable that it wasn't deleted right away after it was "needed." The longer the period between the theft and the testing, the more egregious the situation is. Fourth, the machine was not secured physically. Certainly, it was a desktop computer. But, just because it was a desktop doesn't mean that it's not portable, just that it wasn't designed for portability. For example, mattresses are portable, especially if more than one person is involved in moving it. Anyhow, according to an article at theaustralian.com.au, the computer was stolen "due to the positioning of the computer (near the door)." At this point, it wouldn't surprise me if they had stated that the thing was being used as a doorstop.
There are so many things wrong with this story that I don't know where to begin. First off, there is the fact that a computer that held the information of 66,000 people was not secured with encryption software, including the 28,000 members of the AICD. As a result, names, addresses, phone numbers, dates of birth, and member numbers were breached.
Second, it turns out that the stolen desktop computer only held that data because the organization was testing a new CRM upgrade, and was using the computer as a test machine. They used real data for that testing. That's a huge blunder, even more basic than not using disk encryption programs. Indeed, if the testers had done things right, encryption wouldn't have been necessary, since fake data would be lost (in hindsight, of course).
Third, the information was not deleted after being used, obviously. There is no mention of when the testing occurred, but the fact that it was not secured and was real data makes it inexcusable that it wasn't deleted right away after it was "needed." The longer the period between the theft and the testing, the more egregious the situation is.
Fourth, the machine was not secured physically. Certainly, it was a desktop computer. But, just because it was a desktop doesn't mean that it's not portable, just that it wasn't designed for portability. For example, mattresses are portable, especially if more than one person is involved in moving it.
Anyhow, according to an article at theaustralian.com.au, the computer was stolen "due to the positioning of the computer (near the door)." At this point, it wouldn't surprise me if they had stated that the thing was being used as a doorstop.
Some point towards the fact that the computer was stolen during a power outage -- which disabled the security doors -- and wonder whether this is something akin to Ocean's Eleven, the Clooney flick where a casino is robbed after an entire block of Las Vegas loses its electricity. The thing is, the power outage was scheduled. Of course, one wonders, if it was scheduled, why didn't they have the extra security to account for the fact that the doors wouldn't be secure anymore? I guess tack another one for the "bad practices" list.
Some point towards the fact that the computer was stolen during a power outage -- which disabled the security doors -- and wonder whether this is something akin to Ocean's Eleven, the Clooney flick where a casino is robbed after an entire block of Las Vegas loses its electricity. The thing is, the power outage was scheduled.
Of course, one wonders, if it was scheduled, why didn't they have the extra security to account for the fact that the doors wouldn't be secure anymore? I guess tack another one for the "bad practices" list.
That's per the comments section, and an admittedly non-representative survey. Despite the fact that the article clearly notes that the stolen computer was a desktop version, one commentator at theaustralian.com.au goes into a harangue on AICD data being on notebook computers. In fact, the comments section shows a mix of informed and misinformed people. Consider the following: "Protected? As in a windows password preventing people from logging onto windows? I highly doubt the data itself was encrypted, making it very easy to copy off the internal drive." Another person who doesn't read carefully. The article clear denotes that the computer was not encrypted. However, the person is right in pointing out that if computer encryption was not used, it's very easy to copy data off the computer. And this is true regardless of what other security measures were in place, especially if we're talking about a windows password-prompt. "Someone is very silly someone was asleep anybody heard of a Kensington lock obviously not for a small price such a lot of information" "$50 Kensington Keyed Lock would have done the trick, regardless of power outage...." Yes and no. As I noted in the "fourth bad practice" above, computers need to be secured. However, if there is no one in the vicinity, Kensington locks are a deterrent only to the infirm, the really young, and people who don't know how to use tools. Otherwise, what's to prevent a person from cutting a cable lock with a bolt cutter, or from just ripping the thing? Yes, the computer will be damaged, but it will still work because it's only the chassis that gets damaged. And if you're after the data, that hardly poses a problem. The sad thing about the above is that it's not just Australians that think this way. People the world over have similar misperceptions regarding data security. In certain places, such as Japan, this misconception doesn't matter because there is a good chance that nobody will filch your laptop at Starbucks while you go to the bathroom...even if you don't have it locked to a table. In some other places, you might need armed guards.
That's per the comments section, and an admittedly non-representative survey. Despite the fact that the article clearly notes that the stolen computer was a desktop version, one commentator at theaustralian.com.au goes into a harangue on AICD data being on notebook computers.
In fact, the comments section shows a mix of informed and misinformed people. Consider the following:
"Protected? As in a windows password preventing people from logging onto windows? I highly doubt the data itself was encrypted, making it very easy to copy off the internal drive."
Another person who doesn't read carefully. The article clear denotes that the computer was not encrypted. However, the person is right in pointing out that if computer encryption was not used, it's very easy to copy data off the computer. And this is true regardless of what other security measures were in place, especially if we're talking about a windows password-prompt.
"Someone is very silly someone was asleep anybody heard of a Kensington lock obviously not for a small price such a lot of information" "$50 Kensington Keyed Lock would have done the trick, regardless of power outage...."
"Someone is very silly someone was asleep anybody heard of a Kensington lock obviously not for a small price such a lot of information"
"$50 Kensington Keyed Lock would have done the trick, regardless of power outage...."
Yes and no. As I noted in the "fourth bad practice" above, computers need to be secured. However, if there is no one in the vicinity, Kensington locks are a deterrent only to the infirm, the really young, and people who don't know how to use tools.
Otherwise, what's to prevent a person from cutting a cable lock with a bolt cutter, or from just ripping the thing? Yes, the computer will be damaged, but it will still work because it's only the chassis that gets damaged. And if you're after the data, that hardly poses a problem.
The sad thing about the above is that it's not just Australians that think this way. People the world over have similar misperceptions regarding data security. In certain places, such as Japan, this misconception doesn't matter because there is a good chance that nobody will filch your laptop at Starbucks while you go to the bathroom...even if you don't have it locked to a table.
In some other places, you might need armed guards.
Related Articles and Sites:http://www.perthnow.com.au/business/business-old/aicd-members-personal-details-stolen-from-national-office/story-e6frg2qu-1226073019090http://www.theaustralian.com.au/australian-it/pc-with-66000-records-at-australian-institute-of-company-directors-stolen/story-e6frgakx-1226072943601#