Unencrypted Laptops: Data breach 101

Next story

encryption

Yet another laptop containing sensitive information has been stolen / lost and much to the “surprise” of ESET security specialist Mark James it was unencrypted. We look at some other cases of “mislaid” documents and Mark comments on good encryption practice.


The laptop in question contained the details of a number of children attending HSE Speech and Language Therapy services in Donegal. The laptop was stolen from a staff member but had no encryption on the data.


Who is to blame?


It is difficult to point the finger of blame squarely at the individual member of staff, it’s not like they left some top secret files on a train for example.

Of course the thief holds a large amount of the blame in every case because they actively stole something. However, the organisation or “owner” of the data has a responsibility, or even duty, to keep that data safe.

Of course a very determined hacker could crack an encryption just like very determined thieves could rob a bank but that doesn’t mean you should leave the vault wide open: strong deterrents are an order of magnitude better than nothing at all.

In this instance HSE is in the spotlight, but other organisations have come under fire in the past: the BBC compiled a list of cases involving missing or stolen data from 2007-2009 and NASA almost faced a lawsuit when a laptop containing details for 10,000 employees was taken from a locked car, much like this case.


Encrypt, Encrypt, Encrypt


In a perfect world we wouldn’t need encryption but just like we need to use strong, complex passwords to deter potential hackers, organisations need to use encryption on their sensitive data.

“How can any organisation that holds our children's data on a laptop not have the very basics of data encryption?” asks Mark James.

Adding that “the cost is minimal, it's easy to install and manage and there is absolutely no excuse for it not to be enforced by every single education authority.

“When are they going to learn that the responsibility to protect our children is not just about education in schools? It's about spending money in the right places.”

This point carries into all organisations: spending on proper data security is often done after a major breach as a reaction, rather than before as prevention.

Hopefully companies, schools and other organisations are really starting to learn from other’s mistakes. Having said that we are never surprised to see significant breaches due to a lack of security: shocked perhaps, but not surprised.