HM Revenue and Customs (HMRC) has become the latest organisation to apologise to clients as the result of a lost laptop. A machine containing personal data was stolen from the car of an HMRC staff member last month, the UK tax department confirmed on Monday. The tax worker had been using the laptop for a routine audit of tax …
'commitment to its customers' - so I'm a customer of HMRC now am I? Does this mean I can take my business elsewhere and decide not to give any personal data to the inland revenue?
No obligation to report the breach?!
"With top level encryption making it virtually impossible to access the data held on the stolen laptop, HMRC had no real obligation or reason to report the breach.."
What?! That's like Securicor losing a cash box stuffed with a few thousand saying "oh well, it's virtually impossible to access the cash in the stolen box so we won't bother telling anyone".
It was probably just a crime of opportunity and the thief will have no idea there is valuable information on the laptop, but would you want to chance that information making it into the hands of more ne'er do wells?
I can imagine it now - "yeah, yeah, we knew it got nicked but it was encrypted so we didn't bother doing anything about it."
It's high time people took information security seriously - cash, cheques and cards can all be revoked. It's a bit more of a pain to change your name, address and date of birth.
Let's be realistic, how many of these 'lost' laptops will *really* find their way into the hands of nefarious identity stealers? I'm willing to bet that most, if not all, end get traded for a bit of cash or a baggie, then immediately formatted and flogged on eBay. Your average smash-n-grab thief doesn't know the first thing about computers, never mind breaking even entry-level encryption. If they're using 256-bit, or higher, encryption then the thieves can expected to spend the rest of their lives, and then a few more million years, waiting for a brute force attack on the data to complete. That's roughly akin to saying that I'm worried about my bank statement being used for naughty business even though it's been shredded, shredded again, put in a secure box, in a safe, set in concrete, in a secure van that's been stolen by two narcoleptic chimpanzees with ADHD.
"Does this mean I can take my business elsewhere and decide not to give any personal data to the inland revenue?"
Well, yes, actually. But as HMRC has the exclusive francise for the UK, you'll have to take your business *and* yourself to another territory - France, Germany, Turkey, Iran, China...
You get the picture.
How can a nine character password be declared "secure"
oh yeah so secure
How much are you willing to bet that even through the laptop has encryption enabled, that the idiot who lost the laptop probably had his username and password taped to the keyboard just so he wouldn't forget it. I've serviced way to many laptops that are just like that. And until the tax department can proof otherwise I would be highly suspicious of their claims of no real security issues
You would be surprised on underground economy
Maybe the thief that grabs your laptop has no idea whether it has any value except hardware.
But I wouldn't be too sure of the middleman who buys the laptop.
Odds are that there are quite a few of those who know enough to boot the laptop and see are there any company names or domain names visible.
After all if they manage to sell it for someone interested in ID theft of industrial espionage they get more for it.
But you are right, that any encryption makes the data worthless. Also it's a very good idea to have bios startup password. Some of them can be cracked, but that is still extra nuisance for the criminals.
re: So What...?
"stolen by two narcoleptic chimpanzees with ADHD."
heh... great stuff there. cracking the encryption itself is pretty futile... cracking the password would be much easier. but as you pointed out... most smash and grabs don't know jack about fixing electronics so how would they know anything about how to break into an encrypted hard drive. Format and go, get some quick cash for it and have a nice day.
reminds me of one smash and grab where a speaker box and amp were nicked from the trunk of my car... they broke the right channel's RCA center pin off in the amp and cut themselves on the smashed window - used to gain access to the trunk release. if they did actually manage to get it out in working order, if they just shoved the broken RCA pin into the unit... it probably didn't work for long.
The problem is, as always, the people. If the high level encryption key is written on a post-it note stuck on the wrist rest it doesn't matter how many bits it is.
The caring sharing IR?
Certainly sharing, anyway.
Quote: "As such, this voluntary disclosure shows a refreshing level of ethical responsibility ..."
Eh? Congratulations to the Inland Revenue for allowing an employee to leave a laptop containing a raft of sensitive personal financial and identity data in his car? Then have it nicked? Oh, well done that man!
Quote: "Commitment to its customers." Yeah. Right. *That* will impress everyone who has to deal with these caring bastards on an annual basis.
At least the thing was encrypted. I wonder if he had the key on a memory stick in the glove box?
Can I have all my tax refunded please, Mr. Darling?
I could do with the money and your buffoons obviously don't know its never a good idea to leave a laptop in a car, high level encryption or no.
Supporting secure websites as I do I know that encryption is hard to break but even so I'd like my money back so I can take my business elsewhere.
Oh wait, the right for you and your servants to rob me blind each month and do what you like with my personal info is enshrined in law, oh dear what a pain in the ass.
When I was young I used to think people that tried to dodge tax were out and out ne'er do wells, now I have some idea why they do it.
Now where did I put the number for that bank that specialises in accounts in the British Virgin Islands....
Encryption only enforces the password
The encryption is likely impossible to break, but everything is only secure as the guys passwords.
However I am guessing that any organization that bothers with encryption also has a decent password policy.
encrpytion on the HD of the OS is no excuse
I just wish I could tell you how many times I've seen a good security policy destroyed by an ID10T who would do something so simple as write his username and password on a sticky and tape it to his PC.
The exact same thought crossed my mind.
I'd be much more convinced if they were completely honest and referred to us as "the peasants".
Ah, that'll be because the tax records were for highly paid folks.
"It's high time people took information security seriously - cash, cheques and cards can all be revoked. It's a bit more of a pain to change your name, address and date of birth."
How the hell do you revoke cash? The only way I know is to punch the mugger when he turns around to run.
Cash can be revoked by with drawing the serial numbers. That why Mr (or Mrs) kidnapper always wants 'random used bills'.
Encryption security and passwords
According to HMRC, the data was protected by "complex password and top level encryption." Now, we only have this little sound bite to go on, but what this should mean is that the encryption used a passphrase, not a password, with strict rules about passphrase generation. Additionally, the user involved should have been able to give this to the security personnel investigating the loss. Passphrases can be analyzed for entropy levels, and if there is at least a hundred bits of entropy in the passphrase, the cost of breaking the encryption will far outweigh the gain of identity theft.
As far as the comments regarding the user leaving his laptop in his car, the simple fact of the matter is that these things happen. The article is very short on details, so we can't say for certain whether or not this was an unfortunate case of a thief taking advantage of a narrow window of opportunity (quick stop off for a call of nature?), or if it was a case of gross negligence (leaving it out overnight - in the convertible - with the top down). Either way, this is why we have encryption technology, and why organizations such as HMRC should (and apparently do) have a well thought out data security plan in place, including the use of whole disk encryption as a safety net for the inevitable loss of laptops.
One, assuming properly implemented encryption with two-factor authentication...and the token wasn't also stolen...there was no data loss. Unlike a locked box the contents of which retain their value once you physically break in, the complexity of breaking a two-factor system remains sufficient we will all be retired by the time technology is able to break it. And I don't see criminals hanging on to thirty year old hard drives just to see what might be on it down the road.
Two, at least they seem to be a bit more forthright and competent then Connecticut (the Julie Amero Porn Popup State) was when thousands of records that had no business being on a laptop were stolen. The Department of Revenue Services refused to reveal who the employee was who lost it, "It's not a public record, blah blah blah." So the main newspaper in the State called up the Police were it was stolen...and had a copy of the stolen property report faxed over. Oh, the irony that after experiencing one data theft you still don't know how to keep information private...
My own experience with significant pass phrases is that they are impossible to remember in their hundreds as some security professionals seem to forget the only safe way to do this is to write the pass phrase down and put it in a safe which is sort of a pain in the ass if you have to look it up every time you need to boot up your laptop. Another thing I know for a fact if it is possible to get that data off that laptop they will the myth that it's technically too challenging is sadly misinformed. Skimmers and over the shoulder readers are all over and they like nothing better than an unwatched laptop the chances are pretty good whoever took it wanted that specific type of data.
@Morely Dotes, Customers
"Well, yes, actually. But as HMRC has the exclusive francise for the UK, you'll have to take your business *and* yourself to another territory - France, Germany..."
I've been in Germany for seven years now. I live here, work here, I'm building a house here, I spend tops of 10 days a year in the UK. I still hear from the Inland Revenue...
"A printout of personal details and financial information of some people was also taken during the same theft"
The thieves should know to sell this on to someone who deals in credit card fraud who can use it or resell it so someone more experienced. If they can read it should be obvious what it is.
The printout probably means the user wasn't too careful with not writing down passwords. If they didn't write it down then a simple attempt using numbers only would take a couple of seconds, then every dictionary word, names of people and places and names and birthdates would take about an hour. Then a random approach using common secure passwords some reversals and a few numbers and dictionary mixes might take a day or 2.
After that it becomes massively complex and if it was really important using the printouts and names to try and find encrypted versions of them, researching the owner of the laptop and any personal information to use that in passwords, friends, family and so on. Bugging the users home or shoulder surfing them.
Simpler is returning the laptop with a key/screen logger after mirroring it and getting the relevant logins to use on your copy, I'm sure I would log into my laptop to make sure it was ok when I got it back.
400 high value individual savings accounts
That's 400 people who will certainly wish to give the Inland Revenue a "refreshing level" of honest and to-the-point evaluation of their competence.
I'm fairly certain that their 'top level encryption' will be breached by someone with a Knoppix CD.
Knoppix CD? I'm betting that the "tell me the hard drive password for this Dell" utility will do very nicely thank you.
As for the whole "Customer" thing, there is a word for those from which you can remove everything that they can possibly spare, repeat this each and every year and never get any serious complaint. It's "Sheep".