http://savannahnow.com/node/166947 By Christian Livermore October 28, 2006 A laptop owned by a Savannah accounting firm containing 401(k) information for employees of at least one company was stolen during a recent trip to New York City. The laptop, belonging to Hancock Askew & Co. LLP partner Michael McCarthy, was stolen Oct. 5. The accounting firm notified at least one of the companies - Atlanta-based Atlantis Plastics Inc. - on Oct. 9. McCarthy confirmed the theft, but said no information had been extracted from the laptop. "No information has been accessed. No information was stolen," he said. "A laptop was stolen. It happened to contain information. We have absolutely no indication that any information has been leaked to anybody." The laptop had password protection and other safeguards in place to prevent unauthorized users from accessing information, McCarthy said. He declined to specify what the other safeguards were because the information was proprietary. McCarthy said he filed a report with the New York City Police Department. Atlantis representatives did not return five phone calls seeking comment. McCarthy declined to provide most details, including how many companies had information on the computer. He did say he took all steps and made all notifications. No company had canceled Hancock Askew's services because of the theft, he said. It is unclear whether the laptop was stolen for the computer itself or for any information it might contain. Electronic identity thieves operate hundreds of Internet sites to sell personal information. Other stolen laptops containing personal data have made news in recent month, most notably the May theft of a laptop owned by an employee of the U.S. Department of Veterans Affairs that contained the names, Social Security numbers and birth dates of 26 million U.S. veterans. More than 600,000 laptops are stolen every year, totaling about $720 million in hardware losses, according to 2003 figures from computer insurer Safeware, The Insurance Agency Inc. Those thefts amount to $5.4 billion in theft of proprietary information, according to Absolute Software Corp. Theft ranks as the second overall cause for PC loss, right behind damage, according to Safeware. There are several levels of security for computers, and passwords and user permissions are fairly simple to crack on a laptop, said Vann Pendley, vice president of technology at Savannah-based computer security company PST Inc. "User permissions are great for networks, but in the case of a laptop, for somebody with computer knowledge, it's very easy to override those permissions using a variety of different tools," Pendley said. "Most people have the requisite software in their home to do it." A more effective level of protection for data is encryption, a means of using mathematical algorithms to scramble data so it is unreadable by anybody without the encryption key. Because the possible key combinations number in the trillions, it takes very sophisticated computers and abilities to decrypt and retrieve data, technology and abilities most electronic pirates don't have, Pendley said. Still, he said, the best way to protect information is not to store it on a laptop at all. "The single biggest threat to computer security is someone gaining physical access to the computer," he said. "If somebody walks off with the laptop, they've got unfettered access to the computer, and so any data stored on it runs the risk of being compromised, especially unencrypted data." The American Institute of Certified Public Accountants recommends the same security measures Pendley outlined. Ideally, firms should limit the amount of proprietary information employees store on a laptop, especially when traveling, but realistically that may not be possible, especially for accountants, said Phil Juravel, a member of the Institute's privacy task force who also owns an accounting firm in Alpharetta. "Especially with 401(k) plans, as they work on them while they're in the field, they may have files on there that have not been synchronized back to the main location, so there will be times that they have to have that kind of information on it," Juravel said. The most important thing to do once a laptop has been stolen, Juravel said, is to immediately inform people whose information was stored in it. "Be up front and let them know," he said, "so you don't have fallout later." _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Oct 29 2006 - 22:31:03 PST