A laptop containing client information has been stolen from the car of an employee of Citizens Advice in Northern Ireland. Up to 60,000 client records are held on the computer, which was stolen in the early hours of 5 December 2007. According to Citizens Advice in Northern Ireland, the data stored relates to people from the …
Now what ?
Who can the CAB call now to get advice ?? Hope whoever they called wont allow their data to scatter that easily.
Surely a better title for this article would be
"Government admits to encrypting data"
3 levels of security including high level encryption....this can't be the same government that sneds unencrypted CD's back and forth to each other can it? The guys at the CAB should be praised not ridiculed for the fact the data which was stolen actually had a decent level of security.
This is assuming the 3 levels of security werent,
1. Dont let the data leave the computer it is on
2. Dont let the computer leave the room it is kept in
3. Use the password CAB to access the database.
Quote: "He said the data was protected by three levels of security, including a high level of encryption."
In contrast to the HMRC missing data on the CDs.
Well done to them, at last a data breach from someone who has heard of encryption!
The CAB is an NGO
NGO's worldwide know the value of encrytion. They are a regular target of rat-bastard thieves and spooks with nothing better to do.
Lets have some sackings
Surely rule 1 of the department who provided the laptop was "do not leave in a car"?
Somebody in charge of IT is not doing their job properly and should be fired.
Potential Procedural Problems
It's good to hear that they use 'high level encryption' for the CAB client database. I assume that this means PGP or similar applied to individual files?
In this case, a file being worked on is often manually decrypted to 'clear' and then worked on before being manually re-encrypted if the user can be bothered to do so. [Potential security breach].
Also, it was a laptop and it may have been stolen from someone who was taking work home for whatever reason. It's very tempting to use Hibernation on a laptop (I use it on a permanent basis) in which case there is only the Windows password to stop anyone who opens it from carrying on where the last user left off [Potential security breach].
If the rightful owner/user is really lazy, they can easily turn off the Windows password requirement on return from hibernation (as I do on my desktop which I also hibernate). [Potential security breach]
If taking work home, it would also be tempting to not bother to close any open apps before hibernating the laptop. That way you wouldn't have to go through the 'hassle' of doing the decryption password/protocol before you could resume work and then waiting for a sluggish database app to get going. [Potential security breach].
There are so many ways in which 'natural' human carelessness and an 'understandable' desire to take convenient shortcuts can nullify the best technical attempts to provide security of data. What is so far unknown in the CAB case is the extent to which the precautions they have taken might be nullified by lack of proper operating procedure, either improperly formulated or improperly followed.
Expect more reporting of these sorts of incidents in this new era of openness that we seem to have. Also, expect more organisations to give reassurance that they use 'high level encryption'. However, don't expect anyone to tell you which encryption app they use or for them to show you their formal procedures or to submit willingly to any form of procedural observation and audit. (You can guess why I'm sure).
@Potential Procedural Problems
"However, don't expect anyone to tell you which encryption app they use or for them to show you their formal procedures or to submit willingly to any form of procedural observation and audit."
Of course they can't! The Terrorists|Peodophiles|Bad People will then know their procedures too! Security by Obscurity works!
Leave them (the government) alone with all your data and just live in FEAR of everyone else.
"Three levels of security"
What that means is that upon booting up the laptop, the fraudster has to:
1) Move his mouse over the file on the desktop called 'Password.txt'
Ah yes. The "protected by three levels of security". What they don't say is that they had saved the passwords so that the information could be automatically decrypted. So all they have to do, maybe, is break into the MS Windows account. Oooh, that's so difficult.
well now, aren't CAB duty bound to disclose the key?
or, as so many have already hinted, is it written on the disk?
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know
- If you've bought DRM'd film files from Acetrax, here's the bad news
- VIDEO Herschel Space Observatory spots galaxies merging