Skipton in lost laptop security woes

Um

According to the Yorkshire Post

"Moore Stephens Consulting was carrying out work on an IT system for the Yorkshire-based investment company when the theft took place"

So why did he need customer data on his laptop?

Laptops

Other than discs, it usually seems to be data on laptops that is lost. A rule under the data protection act that sensitive personal data may not be held on anything other than a desktop or mainframe would solve most of the problems. If data is needed elsewhere it could be sent on secure encripted lines since I assume that such things exist.

If the facts don't fit the theory, change the facts

Security will never improve until company Directors are properly held to account with robust, easily understood law instead of the flannel we are working under. And no, UK law does not work in this respect - otherwise we would have seen some brought to book by now.

huh?

So this guy was walking around with a laptop full of thousands of customer's records... why? I can't believe that the creators of a database system that holds so much sensitive data would be so careless as to develop a mechanism that places a physical copy of so much plain text data on the client PC. So my guess is that he had a data dump on a spreadsheet. Wonderful. All the smart systems development in the world can't protect against that level of user stupidity.

RIPA

Oh dear, looks like we're caught between a rock (encryption requirements to pre-emptively avoid disasterous data losses) and a hard place (RIPA sec 3).

"Told you so", a consultant might say, looking back three years.

Assume nothing is secret

I think we should all now assume that we have no "private" data. Assume that it's all out there already, and stop worrying about any further leaks.

As an individual, this really just means that I must always check my bank statements - which of course I do anyway. The people whose lives are made more difficult are the banks (etc.), who can no longer "verify" customers' identifies by asking for confirmation of "private" data. How they will fix this I don't know, but that's their problem.

Not stolen...

It went walkabout because it wanted another Date with the Great Codd in the Sky.

/Is this my concrete overcoat I see before me

what I really want to know

The article only says it was taken from a locker. I want to know was that locker on company property.

How to fix?

Many people here suggest that there is gross negligence by the company losing the data, as opposed to the consultants who failed to encrypt or protect it.

From a technical point of view what exactly is the solution, then?

1. Have policy and equipment requiring consultants to use a remote desktop so data always remains on site.

This has it's own technical problems, requires high connectivity, can be expensive, limits the software/os available to the consultants, and is potentially vulnerable to exploitation in itself.

2. Require consultants to always store data on remotely mounted drive located at company via VPN.

Difficult to enforce, and requires high connectivity.

3. Require consultants to keep data encrypted.

They should already have been doing this, it is difficult to enforce.

4. Prevent them from having access to all the data (select *) so they can't loose it

I've heard people say this, but what exactly are you talking about? The consultants may if fact need the data. SQL is by nature an adhoc mechanism, how would one impose restrictions while not simultaneously hampering the ability to do one's job?

The company could have DBA to create and grant restrictive views to the consultants. However if every query needed approval, efficiency would drop like a rock. And if the DBA knew which queries to grant, then they probably wouldn't need the consultants in the first place. So this still wouldn't necessarily fill the security hole.

I'm really interested in knowing how you guys would go about solving this? Clearly there are things that the consultants can do, but what about the company who's data is at risk?

Or...

If 'consultants' *have* to work with live data, they do so on-site.

There are no technical difficulties whatsoever, just inconveniences, maybe.

Wait!

A far more satisfactory solution now occurs to me. One that will solve very many ills and remove many irritations.

Ban consultants.

A byproduct of the Digital Age

Quite frankly I don't think that this really matters any more, on any one individual user of the internet there's a few dozen records scattered across various company's databases, most of which don't have any real security measures on.

All these thefts mean is that the people on the lists have an increased chance of being targeted, but even that isn't guarenteed because the criminal has to know where to look for you. There's safety in numbers when it comes to things like this...

It's an easy to solve problem

Get notebooks with hard disks that feature hardware based encryption. They are available today from Seagate and are actively sold by NEC and Dell Computer.

Thes hard disks feature AES government approved encryption at full interface speed. The user doesn't even notice they have an encrypting hard disk.

See here: http://www.wave.com

Seems like...

... losing data is the fashion of this year. ;)