[ISN] Savannah company's laptop theft highlights data security concerns

From: InfoSec News (alerts@private)
Date: Sun Oct 29 2006 - 22:14:08 PST


http://savannahnow.com/node/166947

By Christian Livermore 
October 28, 2006

A laptop owned by a Savannah accounting firm containing 401(k) 
information for employees of at least one company was stolen during a 
recent trip to New York City.

The laptop, belonging to Hancock Askew & Co. LLP partner Michael 
McCarthy, was stolen Oct. 5. The accounting firm notified at least one 
of the companies - Atlanta-based Atlantis Plastics Inc. - on Oct. 9.

McCarthy confirmed the theft, but said no information had been extracted 
from the laptop.

"No information has been accessed. No information was stolen," he said. 
"A laptop was stolen. It happened to contain information. We have 
absolutely no indication that any information has been leaked to 
anybody."

The laptop had password protection and other safeguards in place to 
prevent unauthorized users from accessing information, McCarthy said. He 
declined to specify what the other safeguards were because the 
information was proprietary.

McCarthy said he filed a report with the New York City Police 
Department.

Atlantis representatives did not return five phone calls seeking 
comment.

McCarthy declined to provide most details, including how many companies 
had information on the computer. He did say he took all steps and made 
all notifications. No company had canceled Hancock Askew's services 
because of the theft, he said.

It is unclear whether the laptop was stolen for the computer itself or 
for any information it might contain. Electronic identity thieves 
operate hundreds of Internet sites to sell personal information.

Other stolen laptops containing personal data have made news in recent 
month, most notably the May theft of a laptop owned by an employee of 
the U.S. Department of Veterans Affairs that contained the names, Social 
Security numbers and birth dates of 26 million U.S. veterans.

More than 600,000 laptops are stolen every year, totaling about $720 
million in hardware losses, according to 2003 figures from computer 
insurer Safeware, The Insurance Agency Inc. Those thefts amount to $5.4 
billion in theft of proprietary information, according to Absolute 
Software Corp.

Theft ranks as the second overall cause for PC loss, right behind 
damage, according to Safeware.

There are several levels of security for computers, and passwords and 
user permissions are fairly simple to crack on a laptop, said Vann 
Pendley, vice president of technology at Savannah-based computer 
security company PST Inc.

"User permissions are great for networks, but in the case of a laptop, 
for somebody with computer knowledge, it's very easy to override those 
permissions using a variety of different tools," Pendley said. "Most 
people have the requisite software in their home to do it."

A more effective level of protection for data is encryption, a means of 
using mathematical algorithms to scramble data so it is unreadable by 
anybody without the encryption key. Because the possible key 
combinations number in the trillions, it takes very sophisticated 
computers and abilities to decrypt and retrieve data, technology and 
abilities most electronic pirates don't have, Pendley said.

Still, he said, the best way to protect information is not to store it 
on a laptop at all.

"The single biggest threat to computer security is someone gaining 
physical access to the computer," he said. "If somebody walks off with 
the laptop, they've got unfettered access to the computer, and so any 
data stored on it runs the risk of being compromised, especially 
unencrypted data."

The American Institute of Certified Public Accountants recommends the 
same security measures Pendley outlined.

Ideally, firms should limit the amount of proprietary information 
employees store on a laptop, especially when traveling, but 
realistically that may not be possible, especially for accountants, said 
Phil Juravel, a member of the Institute's privacy task force who also 
owns an accounting firm in Alpharetta.

"Especially with 401(k) plans, as they work on them while they're in the 
field, they may have files on there that have not been synchronized back 
to the main location, so there will be times that they have to have that 
kind of information on it," Juravel said.

The most important thing to do once a laptop has been stolen, Juravel 
said, is to immediately inform people whose information was stored in 
it.

"Be up front and let them know," he said, "so you don't have fallout 
later."


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Sun Oct 29 2006 - 22:31:03 PST