|
 We know that losing a laptop is more than just losing the money paid for it, or the man-hours of work done on it. It's losing the data inside of it that's the most frightening - worse if the laptop isn't a personally-owned one but a corporate one. Bad enough that the laptop would be sold on the street for a quick buck - worse if any smart criminal (and there are plenty out there) knows that what's inside is worth more than the street value of a hot notebook.
We decided to do a "stolen laptop" search in the QJ site, and the first two stories that popped up (by relevance) were also among the scariest in this regard - because they were big-ticket news events:
- A laptop used by administrators of a day-care program in Rhode Island, containing the sensitive financial (ex: bank account numbers) and personal information (ex: name, address, phone numbers) of around 65,000 of the program's members, stolen from a locked office; and
- Ernst & Young laptops with the employee account information of client companies being stolen, forcing the firm to issue plenty of oops-we're-sorry-themed letters to its clients.
Let's not even mention the stolen Department of Veteran Affairs laptop that contained the records of more than 26 million veterans and their families. Fortunately the laptop was later recovered, and the FBI has determined the integrity of the data inside.
But you want to know what's really scary? Like everything else in life, it's not what you can see that scares you. It's what you don't see that makes people run to Mommy, or curl up into the fetal position and suck thumbs. In this case we're talking about what doesn't make it into the news.
The Ponemon Institute, a non-profit which advocates responsible information management and security, sponsored a survey of stolen laptops - and the compromised data from it - reported to the authorities in 2005 and 2006. Among those reported were those publicized incidents such as the Ernst & Young case, but the meat of the numbers were those that didn't make it into the news.
The result: with 71 laptops containing sensitive information reported to the authorities over that two-year period, an estimated total of 32,771,838 records were compromised (estimated because in a few cases, the number of compromised data records were unknown or not disclosed). Even assuming that some of the compromised records were duplicates or differently-themed records referring to the same person, given that number and the geographic spread of the reported thefts (read: all over the country), that's still a staggering number of people whose records have been compromised.
Add to that a report that four out of five US firms have had at least one laptop with sensitive information stolen, and the the FBI stating that laptop theft is the second most common computer crime, and that less than two percent of those are ever recovered, and info-management administrators everywhere must be wishing they could keep their laptops in Fort Knox.
We at QJ aren't in the business of making presumptions - well, not too many of them, anyway - but let's try thinking like the bad guys for a change. Presuming that all the records concerned were fully compromised, what can you do with them? Assume they contain at least a name and some pertinent contact and account information, like emails, phone numbers, account numbers, and such. At the very least, the email addresses could be used for spam - or worse, malware - purposes. At worst, they can be used to hack into personal or corporate accounts, help sabotage competitor firms, or blackmail individuals with questionable or dubious records (especially if we're talking about confidential medical or biographical records here).
And it's gone beyond laptops. Even the innocuous iPod can now become a target for cyberthieves, especially after we saw this report come out of a guy who used his iPod to store stolen identity information. Not just iPods, but any storage medium in which its user decides to store sensitive personal or corporate information.
 At the Ponemon website they posted a graph displaying the results of a tracking study - Will you become a victim of identity theft at some point in the future? - through a 17-month period from 2004-2005. Way over half of the individuals surveyed responded positively or "unsure," especially in early 2005. (That's a copy of the graph right beside this text.)
No wonder information security and especially laptop security has become a growth industry of late. We've featured a number of devices and programs here, such as a laptop with RFID and facial recognition tech, and software that remotely encrypts or deletes data from stolen laptops.
Proper information security always begins at home (or in the home office), and it's always as basic as keeping an eye on your laptops when they're out and about, or keeping them locked in a secure location (preferably Fort Knox, but a good safe would do) when it's time to rest. Don't trust a locked car would be enough; determined thieves (in it for the money or for the data) will find a way to break in. And if it's a corporate laptop, mobile or other electronic storage medium, there's a reason why they're labelled "corporate." Security devices are only an additional layer of defense; the first line always begins with the owner or administrator and his security policies.
Beyond common sense, the author of our source article argues for laws that imposes harsh penalties for organizations that are careless with their customers' or members' electronic data. In the long run, it may make good sense - if we as customers or members have to give our names, contact details, and financial data to these organizations to sign up, receive benefits, or purchase items, then we have to trust those organizations to make sure that the same data we give cannot be used against us. A ton of spam a day is bad enough. The worst damage that can happen from identity theft is one we don't want to contemplate.
Quote of the day, from Dr. Larry Ponemon of the Ponemon Institute: "Corporations are clearly struggling with the challenges of identifying and protecting sensitive data, as well as developing successful strategies for securing confidential information stored among the myriad devices that make up today’s data networks." Let's hope they win this one in the end.
|
|
