[ISN] Lax laptop security is a growing privacy concern

From: InfoSec News (alerts@private)
Date: Mon Jul 09 2007 - 01:32:06 PDT


The Kansas City Star
July 07, 2007

Here’s something scary: Millions of personal files on consumers are 
stored on laptop computers routinely left in areas accessible to 

Forget hackers that bypass sophisticated security systems. Identity 
thieves are simply walking off with laptops containing lots of juicy 
private and financial information.

Ask Linda J. of Lenexa. In May, she received a letter from a former 
employer stating cryptically: “We are contacting you about a potential 
problem involving possible identity theft.”

The letter went on to say the stolen computers contained names, 
addresses and Social Security numbers on current and former employees.

Ironically, the company, Securitas Security Services USA Inc., is one of 
the world’s biggest security firms. Once known as Pinkerton’s — the 
detective agency that dogged Jesse James — the $6 billion company 
operates in 30 countries and has 200,000 employees.

But on the night of April 26, apparently without detection, thieves 
slipped out of the company’s West Coast operations center with “a 
number” of laptop computers.

Linda J., who asked that her name not be used since her identity has 
already been compromised, worked for the company for three months as a 
grade-school crossing guard. She said those three months are hardly 
worth the current hassle of calling credit bureaus, creditors and banks 
to ensure someone doesn’t go on a spending bender using her good name.

“I’m the one that has to take all the responsibility,” she said. “I have 
to put fraud alerts on all my credit reports. Basically, they are saying 
their responsibility ended when they sent me a letter.”

Securitas set up a hotline for employees. A spokesman said that more 
than 100,000 current and former employees got letters and that the 
company was also contacting credit bureaus.

“The investigation is still ongoing,” the spokesman said.

The theft of laptops loaded with personal information seems to be a 
thriving business.

I counted more than 11 laptop thefts listed since late April by the 
Privacy Rights Clearinghouse. The thefts affect hundreds of thousands of 
people. That doesn’t even count thefts of discs, tapes and software 

“My guess is there are far more incidents that exist than we have in our 
listing,” said Beth Givens, director of the California-based identity 
theft watchdog.

The list counts only breaches reported in the media. And a lot of 
embarrassed companies don’t go out of their way to make their goofs 

Here’s a sample of more information compromised by laptop thefts:

* Information on Caterpillar employees was stolen from a benefits 
  consultant April 27.

* Patient information was stolen from Highland Hospital in Rochester, 
  N.Y., on May 11 and was sold on eBay.

* Student financial aid information was stolen from Northwestern 
  University on May 20.

* Student Social Security numbers were stolen from a Texas A&M professor 
  on vacation June 18.

* Data on Texas First Bank customers disappeared when a car was stolen 
  in Dallas on June 22.

What this suggests is that some businesses may be too cavalier with 
consumer data.

Most attention focuses on what consumers can do after they’ve been 
victimized. Not enough is focused on businesses protecting consumers.

Federal identity theft laws vary depending on the industry..

“We don’t have an overarching identity theft protection law,” Givens 

Linda J. called Securitas for more information. She said she was told 
not to fret too much because there was no evidence her personal data had 
been misused by thieves.

“They (businesses) always say that,” Givens said, with a mock laugh. “It 
aggravates me. They have no way of knowing what kind of voyage that 
information embarked on.”

In its letter to Linda J., Securitas said: “We regret that this 
unfortunate event occurred and we are in the process of enhancing our 
procedures and controls so that criminal events like this do not happen 
in the future.”

This is the same company that says on its Web site: “At Securitas, our 
mission comes down to pretty much one thing: to protect you, our 

Taking action

If you have reason to suspect identity theft, you can put a fraud alert 
on your credit file.

It tells creditors to check with you before opening any new accounts. 
Filing an alert also entitles you to a free credit report from each 
bureau, and it can be renewed every 90 days.

For more information, go to www.ftc.gov/idtheft.

© 2007 Kansas City Star and wire service sources. All Rights Reserved.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 09 2007 - 01:42:14 PDT