Now what ?
Who can the CAB call now to get advice ?? Hope whoever they called wont allow their data to scatter that easily.
A laptop containing client information has been stolen from the car of an employee of Citizens Advice in Northern Ireland. Up to 60,000 client records are held on the computer, which was stolen in the early hours of 5 December 2007. According to Citizens Advice in Northern Ireland, the data stored relates to people from the …
Surely a better title for this article would be
"Government admits to encrypting data"
3 levels of security including high level encryption....this can't be the same government that sneds unencrypted CD's back and forth to each other can it? The guys at the CAB should be praised not ridiculed for the fact the data which was stolen actually had a decent level of security.
This is assuming the 3 levels of security werent,
1. Dont let the data leave the computer it is on
2. Dont let the computer leave the room it is kept in
3. Use the password CAB to access the database.
It's good to hear that they use 'high level encryption' for the CAB client database. I assume that this means PGP or similar applied to individual files?
In this case, a file being worked on is often manually decrypted to 'clear' and then worked on before being manually re-encrypted if the user can be bothered to do so. [Potential security breach].
Also, it was a laptop and it may have been stolen from someone who was taking work home for whatever reason. It's very tempting to use Hibernation on a laptop (I use it on a permanent basis) in which case there is only the Windows password to stop anyone who opens it from carrying on where the last user left off [Potential security breach].
If the rightful owner/user is really lazy, they can easily turn off the Windows password requirement on return from hibernation (as I do on my desktop which I also hibernate). [Potential security breach]
If taking work home, it would also be tempting to not bother to close any open apps before hibernating the laptop. That way you wouldn't have to go through the 'hassle' of doing the decryption password/protocol before you could resume work and then waiting for a sluggish database app to get going. [Potential security breach].
There are so many ways in which 'natural' human carelessness and an 'understandable' desire to take convenient shortcuts can nullify the best technical attempts to provide security of data. What is so far unknown in the CAB case is the extent to which the precautions they have taken might be nullified by lack of proper operating procedure, either improperly formulated or improperly followed.
Expect more reporting of these sorts of incidents in this new era of openness that we seem to have. Also, expect more organisations to give reassurance that they use 'high level encryption'. However, don't expect anyone to tell you which encryption app they use or for them to show you their formal procedures or to submit willingly to any form of procedural observation and audit. (You can guess why I'm sure).
"However, don't expect anyone to tell you which encryption app they use or for them to show you their formal procedures or to submit willingly to any form of procedural observation and audit."
Of course they can't! The Terrorists|Peodophiles|Bad People will then know their procedures too! Security by Obscurity works!
Leave them (the government) alone with all your data and just live in FEAR of everyone else.