"said the data was encrypted" WERE encrypted - one datum, many data!!
Deloitte has admitted losing a laptop containing thousands of people's pension details, but said the data was encrypted and the machine password-protected, and it had no evidence the data had been misused. The laptop contained 150,000 railway workers' details as well as details on all UK Vodafone staff with pensions and other …
"said the data was encrypted" WERE encrypted - one datum, many data!!
Well, if that's true, that's infinity % better than the government!
El Reg, can you go back and ask whether it was good industrial strength whole disk encryption (in which case this story should have a different headline, to hardware loss), or ad hoc layman's encryption (in which case, why mention the air quote encryption air quote). Thanks.
The lappy was protected by a power-on password, a username/password combination and encryption, they say.
Take out the HDD and slave it, then you're down to encryption only. Which leaves me asking... How good is the hard drive encryption they are using? What are these high standards that they talk about?
And can I ask, is there some "losing personal information 101" course that I obviously have not been offered yet? I mean, we're still doing stupid things like data obfuscation of databases/extracts that have to be given out, insisting on secure transmission channels, insisting on valid reasons for data to leave our 'domain', and taking our data stewardship obligations seriously.
Please advise as currently my organisation is in danger of not hitting the headlines, and we do so like publicity.
And to have enough spare room for a laptop!
How come, when anything goes missing, it's always boring lists of names and addresses (that can be got from the phone book if you're desperate) and never something **really** interesting, like some Adobe or nVidia Source Code?
I assume that this incident will now prompt the usual wave of strikes from when the Railway workers union is unhappy about something. Makes a change from the usual strike reasons of Pay / Conditions / someone being fired for being coked off their face / it's raining / Fancy a friday off.
Start sending people to jail for this sort of thing, and companies, their staff and maybe even civil servants will start taking security seriously.
I blame Microsoft. No reason - I just don't like them.
After what's happened to share prices recently, what pensions?.
Reading the Deloitte official line, I'd rather think it is the password that is encrypted, not the data.
"operating system user ID/password authentication and encryption"
Well , that "encryption" word is for sure well placed in an ambiguous position by an expert on the matter of communication.
Passwords are encrypted , or not ?
I for one welcome this development.
The scumbags at Deloitte share a building with one of my clients. After they got smoking banned on-site, forcing us out onto the pavement to smoke, they then complained that these "scruffy looking blokes" were smoking on the pavement outside their window and putting their clients off.
So now the unofficial policy is that "scruffy looking blokes" /must/ smoke on-site; everyone else /must/ go off. But now and again I smoke outside their window anyway just to piss them off. And I steal their visitor parking spaces.
Just my little vendetta. Back to your regular commenting ...
I think El Reg needs to start publishing a league table of the most serially incompetent in the data loss fields. HMRC's still in the lead, but the MoD's a strong contender, albeit with PA Consulting and Deloitte close behind.
You could award an annual prize. A sieve might be appropriate. Or the Ladybird Book Of Data Security, covered in dust.
but as all of my laptops have the disk encrypted before any operating system gets near them, I would feel like I just lost a laptop. And I'd make sure any information release had that fact and only that fact on it - the encryption kinda got lost in the blurb ...... EFS?!
My forensics guy even admits that he'd resort to questioning the owner for the password rather than try cracking the cipher.
Surely there's a picture of Smokey the Cat in the handbag too?
Paris - because she would have a toy dog to protect her laptop....
My employer (one of Deloitte's rivals) uses full disk encryption on all company clients whether desktops or laptops. This being the case, the data is pretty safe unless the laptop is turned on or the baddies are capable of breaking AES256. We are instructed not to carry our machines around in standby mode.
While I imagine we do lose laptops like any large organisation, there is no material prospect that anyone is going to be able to extract any useful data from the machine and I hope that our line would be "the hard disk was fully encrypted using a strong algorithm and so there is no material risk of disclosure of anything on the lost machine."
My view on this is either you use strong full disk encryption, in which case there really is no real risk or you don't in which case you are stuffed. No other controls really count for anything. The danger of referring to eg passwords, is that you are implying that the encryption may not be strong enough on its own and if that is the case you are pwned.
1- How do you fit a laptop inside a handbag? An Eee PC or something similar maybe. But otherwise, that's a damn big handbag.
2- Why is this still happening? You would think that alternatives would be found by now. E-Mail a copy of the documents to yourself or something.
3- As others have said, how good is this "encryption"? We can only take their word for it that it's any good.
Paris beause she still hasn't managed to lose her clients personal data.
This is the very first time that I've heard of anyone (other than other Register readers) using encryption on a laptop. Congratulations to Deloitte! Surely this should be the headline: "Deloite uses encryption on laptop, so no data lost."
Why would someone need to have the databases on the laptop itself? Surely good procedures would mean that if a Deloitte employee needed access to the databases from outside of the office they could use VPN access and just have the database client software on the laptop. This way the data never leaves the Deloitte offices in such a handy, portable, all in one package.
The fact there's a password to get into the machine means nothing.
The important thing is that the data is encrypted with a strong algorithm and that the decryption password/key is difficult enough to obtain.
oh yes, put all sensitive data on laptops, but with bios password of course, and carry them around the whole time. are you going to drink coffee? take all sensitive data with you! and take with you a memory stick with a backup of all data too, in case your laptop gets lost again and you want to access it during a visit to grandpa.
no problem cos "everything is going to be all right" and well.. "don't worry be happy"
The vodafone letter seems a bit more optimistic - the one sent to Network Rail employees stated that although measures were in place, it would not prevent someone with the intention of actually retrieving this data, from bypassing the policies in place.
What's even better, is that I didn't even have a pension, but appeared to have been identified, and therefore received a letter, so they've lost details of people's pensions, that they didn't actually have ?!?
Glad it was Vodafone, etc as well, as it was stinking of a standard NR balls up as normal, I should know, worked for them for long enough !!
Mine's the one with the psuedo-pensions letter in the pocket...
No industrial strength encryption... would appear that it was Windows File and Folder encryption which was in place through 'Security Policies' - Windows GPO's... how efficient...
Paris - even she would know better...
*What* encryption? Was it Winmagic, Safeboot, Pointsec etc or was it something noddy like a password on excel? It makes a pretty big difference and it's the sort of question you should expect people to ask and we should expect you to answer.
The penny may be dropping, but if so, very, very slowly.
Let me spell it out in words of not more than 10^12 syllables for the benefit of IT managers everywhere:
Thesis 1. Thieves abound and will steal anything not bolted to the floor and watched over by armed guards if they can.
Thesis 2. Everyone is careless, including the armed guards. Armed guards in particular tend to sleep on the job.
Thesis 3. What happened to the 8 hour day?
Conclusion: Never, ever, put critical data on ANY portable piece of hardware, including but not limited to laptops, thumb drives, CDs, USB thingies, portable HDs, memory doodads. If you do, it will be stolen, left in a train or pub, lost in the mail, or otherwise go missing.
Conclusion: if your staff can't get their work done in-office during normal working hours, you're giving them too much work to do. Most of it's pointless make-work anyway. "Taking work home" is a bad habit made worse by taking it home in digital format.
Conclusion: if your staff don't know how to back up files to a central server on the network and persist in burning CDs or floppies instead, hold a grand auto da fe culminating in removal of the offending digits (fingers).
Conclusion: Bosses aren't being held responsible. If Joe Grunt fucks up, that fuck up should be viewed as occurring at all levels upward including the Big Cheese in the Penthouse Corner Office.
There will be a pop quiz on Wednesday afternoon on this material.
Clumsy attempts at humor aside, it's staggering to me to see this happening yet once again. It sure sounds like an expression of the "oh, that can't happen to us" syndrome, more commonly associated with teenagers in fast cars killing themselves at high speed.
It would be amusing to ask those members of the management caste responsible "are you a professional in your work?" I suspect most have a grossly inflated opinion of their own merits.
As I work for a large rail infrastructure company, and its highly likely that my pension details were among those lost (I received a calming and re-assuring letter from the good people at the Railway Pensions Scheme last Thursday).
What I want to know is, how on earth does this keep happening? Why are these details still being held locally on insecure devices such as laptops? I don't care how well encrypted Deloitte say it is, unless they are the CIA I doubt it would be impossible for a professional criminal gang to get the data they need. There is no need for this type of data to be held locally now almost universal (often wireless) broadband access is available.
It apparently didnt have my bank details (no need for RPMI to have it, as the contributions are made via payroll).... whoopee. But I bet it did hold my DOB, NI, Name, Employer and possibly address... just the ticket for putting on a dodgy passport or drivers licence.
Yes, there is always the possibility that it was nicked by some passing opportunistic chav, who promptly wiped the drives and is now using it for posting abuse on to YouTube. But, then again, maybe not.
P.S. I post anonymously to protect myself from any comeback from my employer, but I am a regular contributor to the comments pages.
Deloitte issued laptops have encrypted folders, so as long as the documents were stored in the correct folder, the data should be safe.
Having worked in that environment there's a problem with the whole VPN idea. In theory it is the proper thing to do, and when I worked at a Deloitte rival it is what we were instructed to do.
First, most client databases (one for each client) are kept in a central repository, so accessing that repository from a client machine leaves the risk that data could be compromised between clients (especially in a world were employees tend to work per sector and audit several close competitors at once). This means that company policy is always that all work must be done on the Firm's PC, not the Clients (there are actually several other regulatory reasons for this policy).
Also, given the hours worked etc. using one of the clients PC's was never really an option because it always ended up with some littles first year trotting of home with material non public information in his/her pocket. That has to be less secure than any kind of encryption on a laptop.
However, in order to VPN back into the Firm's network from a client site, you need internet access, and this isn't so easy. Most client networks were locked down so that only machines originating within that company could use them, so no internet, and no VPN.
It's a vicious circle really.
Oh and to the rest of you: are you so female deficient that you've never seen a chick with a handbag big enough to carry(and made for carrying) a laptop?
Paris, coz she knows about unwanted disclosure...
I think you confused what I meant by "client". I meant the programs that allow access to data stored in a database server - the programs you use to query and modify data are the database clients (note there's no possessive), while the software running back in the office is the database server. I didn't mean running the database server or client programs on a customers machine - in this case, the client programs would be on the Deloitte laptop, with remote access to the database server via an encrypted VPN.
I work for a similar firm to Deloitte. Deloitte use Windows XP Pro's inbuilt EFS encryption. I'm sure people far cleverer than I will be able to comment on how secure that is or isn't.
All locally saved emails, and all working papers are stored on the hard drive in encrypted folders.
Regards why there is a need for anything to be saved locally, greenmantle has hit the nail on the head. Unless clients can guarantee decent wired (and wireless - auditors spend as much time with their laptops chatting to client staff as they do sat in an office) connections it is entirely impractical. And however good 3G dongles are, their coverage and uptime are somewhere short of being 100% in some of the shit holes they'll have to work.
Laptops get nicked... if the data is encrypted is it even news worthy??
Nice to see the above statement about encryption wasn't anywhere within the letter that Vodafarce sent out. My wife is over the moon that having left their employ 2 years they are still managing to p**s her off!
Mine's the one with Arun Sarin's pension details in the pocket.
Come on commentards; you can do better than this! It's obvious spin speak saying that the laptop had some form of encryption available somewhere on it. It does not in any way imply that the _data_ was encrypted. Consider all that personal information to now be in the public domain.
When, and only when, someone boasts in their "oh shite" letter to customers that the data was AES encrypted with a 4096 bit key can you start to feel confident that the data won't have leaked. Don't fall for such obvious bullshit as "the laptop was protected by...".
Posting as AC for obvious reasons.
1) I do work for Deloitte
2) I'm not an auditor (thank god)
Only certain folders on the disk are encypted - Client folders emails included. We are not talking about unencrypted data with a password. All removal memory (ie data sticks) are also encrypted and self wiping (To the point I've lost personal documents I put on an old stick and promptly forgot the password to) Sadly I've never bothered to check what the level of encryption or type is.
Sounds like the individual involved has broken numerous firm policies. 1) being in a public place with her laptop for it to be taken and 2) keeping this sort of data on her local machine. We have a sensitive documentation management system for this sort of stuff.
Not looking forward to the sh1t / fan email that will no doubt do the rounds tomorrow, and the random laptop audits that are likely to follow. *sigh*
I do actually feel sorry for the position this poor sod now finds themselves in.
It's all very well having policies and such like, but I quite often have to speak to people on extended assignment to client sites.
The pressure these people are under often means they are working way past 10 and 11 at night in hotel rooms or at home to make sure they hit targets - and typically it is the guys who are 2 or 3 years out of uni and just ACCA qualified who end up in this position, which invariably means they have to try and muddle through and carry their kit everywhere. When on a client site they are typically stuck in a basement , or a broom cupboard, and are very unlikely to get a stable internet conection so they can VPN back to the office.
Posting Anon, and cutting this shorter than I want to, as I would no doubt piss off someone who cares more about the companies rep than actually addressing the issues
I am beginning to wonder if all of the sensitive info which is going missing is not accidental and someone is being given a backhander for the info
"When, and only when, someone boasts in their "oh shite" letter to customers that the data was AES encrypted with a 4096 bit key......"
Hmm, does the number 256 mean anything to you?
fscked by SHA-1 collision? Not so fast, says Linus Torvalds