overview
networks
tapes
laptops
sale
law
prevention
responses
studies
costs
related
Guides:
Security &
InfoCrime
Consumers
& Trust
related
Profiles
& Notes:
ID Theft,
ID Fraud
|
laptops and other devices
This page highlights recent examples of large scale exposure
of sensitive consumer information through loss or theft
of laptops and other devices.
It covers -
introduction
Why is exposure of data through theft or misplacement
of personal computers (desktop machines, laptops and PDAs)
and other devices, including servers, an issue?
One reason is that those devices often contain substantial
amounts of sensitive information in a readily usable form
and without protection such as encryption of individual
files or password protection to access the device. It
is much easier to walk out of an office or a cafe with
someone's laptop than it is to purloin 20 metres of paper
files.
Another reason is that the characteristics that make laptops,
PDAs and mobile phones
so valuable to users - their portability, adaptability
and potential to signify the owner's status - are characteristics
attractive to thieves. Much theft appears to have an opportunistic
basis; many thieves are interested in the device rather
than the information it contains.
The NSW Bureau of Crime Statistics estimated in 2004 that
3.4% of laptops are stolen each year, arguably under-reporting
because people without insurance often do not bother making
a report. In 2000 the Australian Minister for Defence
acknowledged that around 1.8% of the 7,000 laptops used
across his portfolio went AWOL each year, claiming that
"the portable computer loss rate in the private sector
is much higher at between 10% and 15%".
That acknowledgement is useful as an indication that loss
is not restricted to the private sector. In 2003 some
90 desktop and 25 laptop computers were either stolen
or lost from Australian defence establishments, up from
73 laptops and 105 desktop machines in 2001 (of which
13 held classified information and three held commercially
sensitive information). In 2000 the Defence Department
reported that 54 laptops were lost and 73 stolen. Overall,
in the 2001 financial year some 650 federal government
computers were reported stolen, with 30 laptops missing
from ASIO, the National Crime Authority and the Australian
Federal Police.
The UK Ministry of Defence reported that 594 laptops were
lost or stolen from 1996 to 2003, with around 30% containing
"sensitive" information. One MI5 employee famously
lost his laptop after he put it on the ground while buying
a train ticket. In 2006 the US Commerce Department reported
that it had lost 1,137 laptops since 2001, 672 from the
Census Bureau (of which 246 contained some personal data).
The National Oceanic & Atmospheric Administration
reported 325 missing computers.
The Ponemon Institute, in a controversial study sponsored
by Dell, asserted in 2005 that around 637,000 laptops
are lost in US airports each year, "most commonly"
at security checkpoints, with 65% not being reclaimed.
Critics of the study claim that actual losses are around
6% of Ponemon's figure.
Individuals continue to place laptops with unencrypted
sensitive information in ordinary air luggage. The statistics
for loss of baggage by major airlines are sobering. In
2007 the Air Transport Users Council (AUC) revealed that
BA mishandled 23 bags for every 1,000 passengers, losing
about 3,000 bags every day and over 1.047 million items
of luggage in 2006. BA, in an echo of comments by data
custodians, described its performance as "unacceptable"
and stated that "we fully apologise to customers
who have been affected by delayed baggage in the past
year". (Presumably a full apology is better than
the partial variety.) Lufthansa and Air France lost a
mere 982,000 items respectively.
CRA (2004)
In 2004 the Canadian Revenue Agency (the equivalent of
the federal ATO in Australia) reported the loss of six
laptop and desktop devices from its Laval, Quebec office.
One of the machines, used to test computer applications,
contained around two million records from four confidential
personal information databases. CRA notified over 120,000
affected individuals of the security breach.
universities
In 2004 two University of California Los Angeles laptops
were stolen. They contained unencrypted personal information
concerning 145,000 blood donors and 62,000 health patients
A University of California Berkeley laptop stolen in 2005
held the social security numbers and other personal information
about 98,369 graduates. During the same year a laptop
containing data on 20,000 students and faculty in the
Vermont State College system was stolen from a vacationing
employee's locked car in Montreal. The laptop featured
unencrypted names, addresses, Social Security numbers,
payroll information and academic records on students.
(One might question practice in taking such data in unprotected
formats on vacation.)
MCI, ACS, Boeing and Omega
(2005)
An MCI laptop stolen from an employee car in 2005 contained
the names and social security numbers of 16,500 current
and former MCI employees.
In 2005 thieves stole two computers from Motorola's HR
services provider Affiliated Computer Services, with information
on Motorola's US staff.
An Omega World Travel laptop stolen in 2005 contained
names and credit card details of 80,000 customers, inc
US Department of Justice employees. During the same year
Boeing lost a laptop that featured "sensitive"
but unprotected information on 161,000 current and former
employees, including names, Social Security numbers, birthdates
and banking information.
In 2006 Boeing lost another laptop featuring the names
and Social Security numbers of 382,000 workers and retirees,
along with residential addresses, phone numbers, birth
dates and some files salary information. The data was
apparently not encrypted. A Boeing spokesperson commented
that
It's
very disturbing to us when things like this happen,
and there are certain steps you can take right away
... but we realize we need to go above and beyond those.
NSWSTA (2005)
The NSW State Transit Authority, a government agency,
auctioned 12 servers in 2005. One of the buyers discovered
that the STA had failed to delete payroll and financial
information, Sydney public transport passenger counts,
ticketing system codes, incident reports and employee
access PINs.
Elsewhere on this site we have noted
that effective security may involve physical destruction
of disks, rather than erratic use of magnets or 'erase'
programs.
Ameriprise and Fidelity
(2005)
In 2005 an Ameriprise Financial laptop was stolen from
an employee's parked car. It contained unencrypted lists
with personal information of about 230,000 customers and
advisers, including names and Social Security numbers
of 70,000 current/former financial advisers and the names
and internal account numbers of some 158,000 customers.
Ameriprise subsequently agreed to a settlement with Massachusetts,
on the basis that much of the missing data related to
the state's citizens. Ameriprise was required to hire
a third-party consultant to review its policies for laptops
and for taking information or equipment home. It agreed
to pay a derisory US US$25,000 to cover the costs of the
investigation.
A year later Fidelity Investments reported the theft of
a laptop containing personal information about 196,000
current and former HP employees.
The Fidelity email to those employees stated
This is to let you know that Fidelity Investments, record-keeper
for the HP retirement plans, recently had a laptop computer
stolen that contained personal information about you,
including your name, address, social security number
and compensation
Later
in the year General Electric revealed theft of a company
laptop containing the names and Social Security numbers
of 50,000 current and former employees. GE made the standard
offer of a year's free access to a credit-monitoring service.
YMCA (2006)
In 2006 the Providence (Rhode Island) YMCA lost a laptop
containing unencrypted personal information about some
65,000 members. That data included credit card and debit
card numbers, checking account information, Social Security
numbers, the names and addresses of children in daycare
programs and medical information about the children (eg
allergies and the medicine they take).
US VA, IRS and FTC
(2006)
In May 2006 the US Government revealed that a Veterans
Affairs laptop with personal data on 26.5 million veterans
stolen from an official's home (PDF),
with admission that employee had been taking home sensitive
data for preceding three years. The data included names,
birth dates, social security numbers, phone numbers and
some addresses. VA offered to pay for a year of credit
monitoring for the veterans, which it said would cost
US$160.5 million (somewhat more than the cost of encrypting
the data on the laptop). The device was recovered in June
2006 after a US$50,000 reward.
Later in 2006 the government announced that an Internal
Revenue Service employee lost an agency laptop as luggage
aboard a commercial flight. The device contained sensitive
personal information on 291 workers and job applicants
(including unencrypted names, birth dates, Social Security
numbers and fingerprints) but was protected by a double-password
system.
Shortly thereafter the Federal Trade Commission disclosed
theft of two laptops containing personal and financial
data on consumers. The data on 110 people was "gathered
in law enforcement investigations and included, variously,
names, addresses, Social Security numbers, dates of birth,
and in some instances, financial account numbers."
The laptops were password protected, although the effectiveness
of that protection is unclear.
In February 2007 the US Department of Veterans Affairs
(VA) announced loss of an external hard drive containing
the personal records of 48,000 military veterans. Some
20,000 personal records were not encrypted.
In July 2007 the Governor of Ohio revealed that the names
and Social Security numbers of over 786,000 taxpayers
were on a "computer storage device" stolen from
a state intern's unlocked car in June. The device included
data on 561,126 taxpayers with uncashed state income refund
cheques, the names and Social Security numbers of 64,000
state employees and of lottery winners who have yet to
cash winning tickets, the names and case numbers of the
state's 84,000 welfare recipients, names and bank account
information and Social Security numbers of 8,100 former
state employees and the tax identification numbers of
about 87,000 vendors.
A subsequent investigation (PDF)
revealed that the "device" comprised unencrypted
computer tapes, reflecting -
a
questionable but longstanding practice in which OAKS
supervisors, contractors and, eventually, college interns
took backup tapes to their homes on a daily basis.
... Although OAKS is a $158 million IT project and the
State of Ohio is a $52 billion business enterprise,
OAKS administrators had not encrypted the data on the
stolen backup tape and had authorized a succession of
interns to take the tapes home for the previous two
years with only an admonition to store the tapes in
a safe place.
Hummingbird
(2006)
Toronto software provider Hummingbird disclosed that an
employee lost "a piece of computer equipment"
that contained the names and social security numbers of
1.3 million American students. Those students were customers
of Texas Guaranteed, a US non-profit entity that administers
a family education loan program. Hummingbird had been
hired to develop a document management system.
Hummingbird's CEO stated that
The
privacy of customer data is of utmost importance to
us and we take our responsibility to safeguard it very
seriously. We deeply regret that this incident has occurred.
... We continue to investigate the facts surrounding
this loss of information and are taking all necessary
action in order to ensure that such occurrences do not
happen in the future.
The
device was password protected; the files were not encrypted.
E&Y, ING and CS Stars
(2006)
A laptop stolen from the trunk of an Ernst & Young
employee's car contained the names and credit card numbers
of some 243,000 customers of Hotels.com.
Although the loss occurred in February 2006, Ernst &
Young was reportedly unable to determine what was on the
device until early May, at which time it and Hotels.com
began notifying affected individuals. Earlier in the year
Ernst & Young had exposed data from Goldman Sachs;
another lost E&Y laptop featured names and social
security numbers of IBM, BP and Sun Microsystems staff.
The UK Register, in reporting on those incidents
and loss of four E&Y laptops from a conference room
in Miami while the staff were at lunch, sniffed that
Ernst
and Young has failed to issue a public statement about
these breaches despite being a major advocate of transparency
in such issues in its role as an auditor and corporate
advisor.
In responding to the Hotels.com theft E&Y stated that
it had no reason to believe the thief was specifically
seeking the information on the computer. It has since
added new security protections to the laptops of its 30,000
employees in the US and Canada.
Later in 2006 a laptop containing personal data of 13,000
Washington DC workers and retirees was stolen from the
home of an employee of ING US Financial Services. The
device was not protected by a password or encryption.
ING executives commented, as well they might, that they
believed the laptop was stolen for its value as hardware
and that thieves might not have been unaware of the data
it contained.
For
us, this is very unfortunate. But we're moving forward,
we're very focused and committed to find any other laptops
that don't have encryption software and to fix that.
This incident revealed a gap.
Critics
noted that ING should have been well aware of that gap,
as two of its 5,000 laptops had been stolen in 2005. Those
devices contained unencrypted sensitive data regarding
8,500 Florida hospital workers.
In 2006 an unencrypted hard drive was lost during shipping
back to the American Institute of Certified Public Accountants
(AICPA) by a computer repair company. The drive held the
names, addresses and Social Security numbers of 330,000
AICPA members. Later in that year a laptop stolen from
a Deloitte & Touche employee's car featured home addresses,
phone numbers, Social Security numbers and salary information
on 12,000 Armstrong World Industries employees.
Also in 2006 insurance brokerage CS Stars lost "computer
hardware" from a "secured facility". That
hardware featured the names, addresses and Social Security
numbers of around 540,000 injured people in the New York
workers' compensation system. The device was owned by
the state but "cannot be located''. CS Stars offered
identity theft insurance, 12 months free credit reports
and access to fraud resolution specialists.
EDS, FBI and Mercantile Potomac
(2006)
A laptop computer containing pension data of former employees
of US supermarket chains Stop & Shop, Tops and Giant
was lost by an EDS employee (and "may have been stolen")
during a commercial flight in the US. The data included
names, Social Security numbers, employee birth dates,
benefit amounts and related administrative information.
The device went as cargo rather than carry-on luggage.
It was password-protected but the data was not encrypted.
EDS and its client Royal Ahold NV declined to say how
many former employees were affected.
Bethesda-based Mercantile Potomac Bank anounced that a
laptop containing Social Security and account numbers
for nearly 50,000 customers was stolen from an employee's
car.
In 2007 the US Federal Bureau of Investigation reported
(PDF)
at least 160 of its laptops had been lost or stolen over
the past four years. Ten contained highly sensitive classified
information; at least one included "personal identifying
information on FBI personnel". In 2002 the FBI had
roughly 11 laptops stolen or lost each month.
AIG, Nationwide, M&S and
(2006)
In June 2006 global insurance behemoth American International
Group revealed that a burglar stole computer equipment
in March from one of its US offices. That device contained
personal information on 930,000 people, including names,
Social Security numbers and some medical information.
In November 2006 the UK's largest building society, Nationwide,
disclosed loss three months earlier of an employee laptop
that featured names and account numbers for 11 million
customers. The device disappeared during a domestic burglary.
It featured a password but the customer details were not
encrypted. In February 2007 Nationwide was fined £980,000
by the Financial Services Authority, which noted (PDF)
that Nationwide did not commence investigating the significance
of the loss until three weeks after the theft.
The building society was criticised by the FSA for not
taking early action and for inadequate procedures. Nationwide
conceded that the device held a considerable amount of
confidential customer data; it would not confirm the exact
nature of the data, claiming it had been advised by UK
police to limit the level of detail revealed about the
computer.
The FSA's director of enforcement commented
Nationwide
is the UK's largest building society and holds confidential
information for over 11 million customers. Nationwide's
customers were entitled to rely upon it to take reasonable
steps to make sure their personal information was secure.
A
year later UK retail giant M&S revealed loss of a
laptop that held unencrypted personal details of 26,000
employees. The Information Commissioner's Office found
that M&S had breached the Data Protection Act and
ordered it M S to ensure all hard drives were fully encrypted
by April 2008.
In April 2008 the Bank of Ireland belatedly informed Ireland's
Data Protection Commissioner that personal data of around
10,000 customers was held on four laptops stolen from
the bank between June and October 2007. The data was not
encypted. It included those customers' medical history,
life assurance details, bank account details, names and
addresses. The Bank alerted the customers in April 2008.
UK government
In January 2007 the UK Ministry of Defence (MoD) announced
loss of a laptop containing details of 600,000 potential
recruits, stolen from a Royal Navy officer.
The
stolen laptop contained personal information relating
to some 600,000 people who have either expressed an
interest in, or have joined, the Royal Navy, Royal Marines
and the Royal Air Force.
That
included bank details of 3,500 people, the names of people
who made casual enquiries about joining the armed forces
and "extensive personal data" such as passport
and National Insurance numbers, driving licence details,
family details, doctors' addresses and National Health
Service numbers. The data was not encrypted.
The MoD announced that it was treating the loss "with
the utmost seriousness", contacting those whose bank
details were on the database but as of January apparently
not alerting other people.
HSBC
Global bank HSBC admitted in 2008 to losing a computer
server holding transaction data of 159,000 account holders
in a Hong Kong branch office.
It "lost track" of the server (now believed
to have been stolen) during renovation work at the office.
The data included account numbers, customer names, transaction
amounts and transaction types, but did not contain customer
PINS, passwords or user IDs. HSBC indicated that the data
was password protected.
UK Bar Council
In 2008 thieves stole four back-up hard drives and a laptop
from the offices of the Bar Council. That hardware held
contact details of over 12,000 practising barristers,
along with bank account numbers and 1,500 complaints records
(including the names and contact details of barristers,
complainants and witnesses).
The Council noted that the information was encrypted and
password protected, and that the contact details were
routinely published on websites and print directories.
next page (sale)
|
|
blaw