title: Laptop security: doesn't anyone read the papers

Laptop security: doesn't anyone read the papers?

by Scott Bradner

Over the last few months there has been an unremitting drumbeat of news stories about vast amounts of data being lost when corporate laptops get stolen. In almost all of these cases the data on the laptop was not encrypted but that is not the real problem.

Google gets 8.2 million hits for laptop + stolen and Google News gets 1,700. Some of these hits point to software or devices to protect laptops against theft or to track them when they get stolen but all too many are about laptops getting stolen and far too often those laptops have what should be confidential information on thousands of people.

The latest example comes from Ernst & Young (E&Y) who managed to stuff a laptop with information about more than 240,000 Hotels.com users, fail to encrypt it, then arrange things so that the laptop could be stolen. Apparently this happened a while back but E&Y did not have the honesty to publicly admit their stupidity until The Register (http://www.theregister.co.uk) started nosing around. This is not the only laptop that E&Y as let slip through its fingers this year. Earlier this year 4 E&Y laptops were stolen from a conference room while the E&Y auditors that were supposed to protect them were off at lunch. (http://www.theregister.co.uk/2006/02/26/ey_laptops/) That happened shortly after another E&Y employee managed to lose his laptop containing the Social Security numbers of employees of some E&Y customers, including Sun Microsystems. E&Y refuse to say how many people were threatened by that loss.

Ernst & Young is hardly alone in its zeal to expose other's confidential information then not fess up. There is the marvy case of the VA employee who had been taking home disks full of SSNs and other information on veterans (26 million as it turned out) for years -- it took the VA weeks to break the news when the data finally got stolen. Other recent examples include a Fidelity laptop with SSNs and other data for about 200,000 HP employees and a Wells Fargo laptop with info on "a relatively small percentage" of Wells Fargo's millions of customers (apparently Wells Fargo, like Ernst & Young, thinks that providing incomplete information is not the same thing as lying).

These cases are stupid. Doesn't anyone at these companies read the stories in the papers about the problem of stolen laptops? The problem is actually best described by E&Y on their web page on information security "However, organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business." "(http://www.ey.com/global/content.nsf/International/Press_Release_-_2005_Global_Information_Security_Survey) Ernst & Young seems to have been a perfect example of what it was talking about.

The problem is not that these laptops were not using encryption (the press is reporting that all E&Y laptops are now, belatedly, using encryption) -- the real problem is having the SSNs and credit card numbers on the laptops in the first place. I see no possible reason for an auditor like Ernst & Young to ever have SSNs or credit card numbers on a laptop. In any reasonable society this would be illegal, but don’t hold your breath for that to happen in the U.S. Note that good security practice is to assume that any laptop will be (not "may be") stolen. A cryptographic hash of the SSN or card number can be used if a unique identifier is needed.

Until people begin to understand that employees should only have the confidential data they actually need at any particular time, rather than, by default, having all the data the company has, we will keep seeing these headlines about more people acting with abject stupidity.

disclaimer: Harvard, as far as I know, does not teach abject stupidity, so the above rant is mine not the university's.