Friday, June 22, 2007

Data Theft: When To Worry

Data breaches as a result of laptop theft have gotten a lot of press over the past couple of years. There have been dozens of these incidents, and there's even a Hall of Shame. Despite this, there has never been a publicly disclosed link between a laptop theft where personal data was stolen and the appearance of some or all of that data on the black market.

My theory is that laptop theft, like most theft, is a crime of opportunity. Just about anyone can steal a laptop from an airport, office, or car and sell it on eBay or at a pawn shop. Or keep it. And they can make a few hundred dollars doing it. The theft itself takes a few seconds. To target a laptop with valuable data on it would require a lot more reconnaissance and planning. Hours, days, even months to identify the one that had the right data and find a time when it was unprotected enough to steal. The truth is, identity dumps are a whole lot easier and less risky to steal than targeting a laptop. This is no excuse to not encrypt laptop hard drives. But it is much ado about very little.

However, when you see a story like this, it's time to worry. This wasn't lost in the mail or displaced by Iron Mountain. It was stolen from a car. And it's a DLT tape. The black market value of a used backup tape? Less than the CD in the car's stereo. So it may be a crime of opportunity, but backup tapes imply valuable data. Why back it up otherwise?

And what would a story about stolen data be without the excruciating attempts to downplay the breach. The governor's office says that it is unlikely that the information has been accessed because it requires special hardware and software. As if that wasn't bad enough, it turns out that the reason that the tape was in an intern's car in the first place is because it was part of a standard security procedure. Now, off-site backups at a 22-yr-old's apartment may or may not be better than no off-site storage at all. But this is downright irresponsible. Somebody was willing to break into a car to get a tape with hundreds of thousands of dumps on it, worth potentially millions of dollars on the black market. What would have happened if that intern had been there when the tape was stolen?

So if you haven't contracted with an off-site storage company or aren't already using your corporate locations to do off-site storage, please think about it. I'd like to tell you that I think this story is uniquely asinine, but the truth is that I've personally made this recommendation to at least a half-dozen clients over the past 5 years because their off-site practice put an employee at risk.

1 comment:

Anonymous said...

I agree with you 100%...
My laptop was stolen in JFK and i freaked out bec i had months of lost data....i learned from my mistake and did exactly what you said. im using they backup my data and email me automatically every nite..