Network News

X My Profile
View More Activity

FTC Laptop Theft Exposes Consumer Data

The Federal Trade Commission -- an agency whose mission includes consumer protection and occasionally involves suing companies for negligence in protecting customer information -- today disclosed a recent theft of two laptop computers containing personal and financial data on consumers.

In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was "gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers."

The commission said it has "no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops." The agency also said it would offer affected individuals one year of free credit monitoring.

The FTC's loss is just the latest in a string of laptop thefts -- including several here in the Washington area -- that exposed sensitive information on millions of consumers. Last month, the U.S. Department of Veterans Affairs reported that a stolen laptop and computer hard drive taken from an employee's house in Montgomery County contained personal information on 25.5 million veterans and military personnel. Social Security numbers and the birthdates of 13,000 District workers and retirees were among the data contained on a laptop stolen last week from the Southeast Washington house of an employee of ING U.S. Financial Services.

When do we get to the point where these kinds of losses become so unacceptable that businesses are forced to take sensible measures to prevent them? Perhaps the thieves just want to wipe the drives and fence the computers for a few hundred bucks as soon as possible. But that doesn't erase the emotional and financial toll such thefts inflict on the people whose data was on them.

There is a relatively simple answer here: require companies that insist on storing sensitive information on laptops to encrypt the data or the hard drives themselves. But with all of the thefts and losses reported over the last 15 months alone, I wonder whether we've reached a point where everyone's private information isn't already available for sale in some giant black-market database somewhere.

Apparently, I'm not the only one who shares this suspicion, according to another story in the Post today that quotes Marcus Ranum, a firewall designer and security expert who is a frequent critic of the shoddy state of software security.

"By the time you add up a million here and 900,000 there and 4 million over there, you've covered most of the credit-holding and wage-earning population of the U.S.," Ranum wrote in an e-mail. "I'm sure my math is suspect, but I estimate that there are about 156 Americans whose personal information has not yet been compromised."

By Brian Krebs  |  June 22, 2006; 10:51 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: May Was Record Month for Phishing
Next: Lessons Learned from the 'Leaves' Worm?

Comments

Enough is enough. Someone is going to have to step in and stop this. company/department deadlines involving personal data are of far less importance then protecting the personal data. If an employee and his/her supervisor determine otherwise and it results in a leak of personal data, then the employee and supervisor should both automatically loose their respective jobs, and the company/department/agency should have to go through 100s of hours of security training and a potential restructuring.

The mindset must change! No one is exempt from the polices relating to private/personal data. Security must be the priority and deadlines must take a backseat to it.

Posted by: Adain Baptiste | June 22, 2006 11:45 AM | Report abuse

Didn't the report say the laptops were password protected? No doubt there's a question as to how easily it could be decrypted. Disclosing the encryption type in the press would explain to the thief how to get the data they probably didn't know they had.

There's a point where you can only ban the use of laptops or any easily removed computer. If you have field agents using laptops, there will be sensitive data on them. Sometimes they will get stolen. Should they revert to paper and pencil for case notes? those could always be stolen anyway.

Posted by: John Fallon | June 22, 2006 2:59 PM | Report abuse

I've said it before and I'll say it again: we need a law requiring public disclosure of all social security numbers (and mothers' maiden names while we're at it). These piece of information are NOT secrets--far too many people have legitimate, let alone illegitimate access--and it's inexcusable for financial institutions to pretend that the information makes a suitable password. Nothing short of full public disclosure will expose the absurdity of this practice.

Posted by: antibozo | June 22, 2006 4:19 PM | Report abuse

Password protection is not enough; a strong password, coupled with folder encryption should be required and verified by management.

It is possible to log in to a password protected computer without knowing the password, or to gain access otherwise, by booting another operating system (say Linux). By doing this, one can gain access to information in unprotected files. This risk can be minimized by encrypting the data folder and all its contents. The WinXP Pro operating system provides these capabilities, and they are easy to use.

The latest organizational response to the theft or loss of personal ID data is to offer free credit monitoring reports. That is useful, but it puts the full burden upon the victim, not the organization at fault. The organization should be required to bear the full brunt of any ID theft, agreeing to insure any losses and providing legal and administrative support to ID-theft victims. (If the organization believes the ID-theft risk is as small as they usually suggest, such an offer would not cost them very much.)

Posted by: Publius | June 22, 2006 9:04 PM | Report abuse

Encryption's not a bad solution. But how about also being able to track the stolen machine and DELETE the data covertly?

www.MyLaptopGPS.com

Posted by: Dan | June 23, 2006 7:27 AM | Report abuse

You haven't scratched the surface, the bigger problem are the little USB "jump drives" that are so easy to use. A couple of strokes and the data is in the chip and the chip is in the pocket and out the door.

We try to use cash as much as possible. You don't need IDs, it is accepted everywhere, and it cannot be traced. Bank security is my biggest worry.

Posted by: Ken the Troll | June 23, 2006 10:41 AM | Report abuse

I don't get why the only data someone needs to engage in major identify theft is a name, SS number, and date of birth.

The burden shouldn't just be on the companies who have this data, but also on utility companies and credit card companies, etc. that currently only require SS #s, name, address, and date of birth to open an account.

Also in the special case of buying/selling property, the notaries are used to verify people's identity at closing are legally liable if it's not the actual person buying the house.

Posted by: mfs | June 23, 2006 11:48 AM | Report abuse

Some comments here about the need for action, I suggest Brian you may want to do an overview of current legislative activities. Some current bills on the Hill would great REDUCE current protections (I'll let you guess how it breaks down by political party.) A good overview is available from Consumers Union at http://www.consumersunion.org/pdf/fed_security109.pdf
In the end, companies will only provide protections when it is expensive NOT to provide them.

Posted by: Dave H | June 23, 2006 2:56 PM | Report abuse

@John Fallon: give me a Windows XP CD and your laptop running WinXP, and I can reset your password in about 5 minutes. Its an undocumented 'feature' that you can google easy enough.

Posted by: Dave H | June 23, 2006 2:58 PM | Report abuse

Why not try a simple solution in addition to all of the other great high-tech ideas?

Start with EZFind - An encoded label with a unique code and a reward offered to the finder of a portable electronic device. Many items containing sensitive information are lost and never make it back to their owner(s) because it's not made easy.

Information and IDentity Theft begins at the baseline by simply placing your name on something or by not having something simple - like EZFind on your Blackberry or cell phone.

Here's a deal for you. Join EZFind and the WAR on ID Theft. Send us a self-addressed, stamped envelope and we'll send you one of our newest labels including our Global Collect phone number - FREE. And we'll send you a coupon for 50% off the purchase of our PS20 kit of labels and luggage tags.

Our mailing address is conveniently located on our home page: https://www.ezfind.com

Thanks - I look forward to you joining us and helping in the battle against IDentity Theft.

Vince Moro/CEO/EZFind Technologies, Inc.

Posted by: vmoro@ezfind.com | July 8, 2006 5:13 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company