[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Savannah company's laptop theft highlights data security
From: InfoSec News <alerts () infosecnews ! org>
Date: 2006-10-30 6:14:08
Message-ID: Pine.LNX.4.61.0610300013240.30862 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://savannahnow.com/node/166947
By Christian Livermore
October 28, 2006
A laptop owned by a Savannah accounting firm containing 401(k)
information for employees of at least one company was stolen during a
recent trip to New York City.
The laptop, belonging to Hancock Askew & Co. LLP partner Michael
McCarthy, was stolen Oct. 5. The accounting firm notified at least one
of the companies - Atlanta-based Atlantis Plastics Inc. - on Oct. 9.
McCarthy confirmed the theft, but said no information had been extracted
from the laptop.
"No information has been accessed. No information was stolen," he said.
"A laptop was stolen. It happened to contain information. We have
absolutely no indication that any information has been leaked to
anybody."
The laptop had password protection and other safeguards in place to
prevent unauthorized users from accessing information, McCarthy said. He
declined to specify what the other safeguards were because the
information was proprietary.
McCarthy said he filed a report with the New York City Police
Department.
Atlantis representatives did not return five phone calls seeking
comment.
McCarthy declined to provide most details, including how many companies
had information on the computer. He did say he took all steps and made
all notifications. No company had canceled Hancock Askew's services
because of the theft, he said.
It is unclear whether the laptop was stolen for the computer itself or
for any information it might contain. Electronic identity thieves
operate hundreds of Internet sites to sell personal information.
Other stolen laptops containing personal data have made news in recent
month, most notably the May theft of a laptop owned by an employee of
the U.S. Department of Veterans Affairs that contained the names, Social
Security numbers and birth dates of 26 million U.S. veterans.
More than 600,000 laptops are stolen every year, totaling about $720
million in hardware losses, according to 2003 figures from computer
insurer Safeware, The Insurance Agency Inc. Those thefts amount to $5.4
billion in theft of proprietary information, according to Absolute
Software Corp.
Theft ranks as the second overall cause for PC loss, right behind
damage, according to Safeware.
There are several levels of security for computers, and passwords and
user permissions are fairly simple to crack on a laptop, said Vann
Pendley, vice president of technology at Savannah-based computer
security company PST Inc.
"User permissions are great for networks, but in the case of a laptop,
for somebody with computer knowledge, it's very easy to override those
permissions using a variety of different tools," Pendley said. "Most
people have the requisite software in their home to do it."
A more effective level of protection for data is encryption, a means of
using mathematical algorithms to scramble data so it is unreadable by
anybody without the encryption key. Because the possible key
combinations number in the trillions, it takes very sophisticated
computers and abilities to decrypt and retrieve data, technology and
abilities most electronic pirates don't have, Pendley said.
Still, he said, the best way to protect information is not to store it
on a laptop at all.
"The single biggest threat to computer security is someone gaining
physical access to the computer," he said. "If somebody walks off with
the laptop, they've got unfettered access to the computer, and so any
data stored on it runs the risk of being compromised, especially
unencrypted data."
The American Institute of Certified Public Accountants recommends the
same security measures Pendley outlined.
Ideally, firms should limit the amount of proprietary information
employees store on a laptop, especially when traveling, but
realistically that may not be possible, especially for accountants, said
Phil Juravel, a member of the Institute's privacy task force who also
owns an accounting firm in Alpharetta.
"Especially with 401(k) plans, as they work on them while they're in the
field, they may have files on there that have not been synchronized back
to the main location, so there will be times that they have to have that
kind of information on it," Juravel said.
The most important thing to do once a laptop has been stolen, Juravel
said, is to immediately inform people whose information was stored in
it.
"Be up front and let them know," he said, "so you don't have fallout
later."
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic