Government agencies and private businesses need to make laptop security a higher priority if they want to avoid repeating the current maelstrom at the Department of Veterans Affairs and Hotels.com following the thefts of laptops containing sensitive consumer information from those organizations.
Security means proper training and screening along with other measures, according to technology analysts and security professionals.
The VA laptop contained personal information on 26.5 million veterans, and the machine stolen from Hotels.com’s auditor, Ernst & Young, contained data on 243,000 customers. Neither was encrypted, which means the information would have been translated into a secret code that can be unlocked only by a key or password.
Another unencrypted laptop containing pension data on former employees of supermarket chains owned by Royal Ahold, including Landover-based Giant Food, was stolen last month.
“There’s no good excuse anymore when it costs about $40 to encrypt laptop data,” said Avivah Litan, an analyst at Gartner Inc., who was in Washington for the Gartner IT Security Summit that ended yesterday. Employees should be given laptops containing sensitive data only on a need-to-know basis, and, when that happens, it should be encrypted, she said.
“This has not been a high priority like servers and networks,” Ms. Litan said. “The last thing companies think about is laptops and tapes.”
“Who’s vulnerable? Anybody who has data,” said Richard W. Goldberg, chief of the financial institution fraud and identity theft section in the U.S. Attorney’s Office in Philadelphia, during a presentation at the Gartner conference. The U.S. economy depends on “trust and speed, and that buys you a target-rich environment.”
At the Department of Veterans Affairs (VA), a data analyst took home a laptop containing identifying information including names, Social Security numbers, and dates of birth for up to 26.5 million veterans and some spouses. The government announced this week that those records included more than 2 million current active, Reserve and National Guard members.
Hotels.com and Ernst & Young are mailing notification letters to 243,000 Hotels.com customers whose names, addresses and credit-card information were on the stolen laptop.
Stolen personal background information is worth up $1,000 per person on the street, Mr. Goldberg said. “If it’s recently stolen, it’s going to be worth more money,” he said.
There is no evidence that the stolen data have been used in any of the recent cases.
“The root of the issue is, where does the data belong and who has access to it? Just trying to solve it with technology, I don’t think you’ll succeed,” said Sara Santarelli, chief information security officer for Verizon Business in Colorado Springs. “If all you do is go slap on encryption, you’re not getting to the root of the problem.”
Ms. Santarelli speaks from experience. In April 2005, a laptop containing Verizon Business data was stolen from an employee who had parked her car in a locked garage. The company immediately notified law-enforcement officials and its customers nationwide who were potentially affected. To date, there is no evidence that the information was used.
Complete security is not possible in today’s environment, but organizations can manage the risks, she said. The process takes time and money, but the monetary costs and reputation damage will be far worse if the security is breached.
Since the theft, VA Secretary Jim Nicholson has ordered an inventory and review of all current positions requiring access to sensitive agency data. Employees who need access to do their jobs will be required to undergo an updated background check.
Charles Perkins, a spokesman for Ernst & Young, said the accounting firm was encrypting employee laptops when the one containing Hotels.com information was stolen.
Potential victims must remain vigilant. Criminals know that companies will put 90-day holds on accounts and sometimes wait longer before trying to access them, Ms. Santarelli said.
On the bright side, a stolen laptop may never get into the hands of someone who can access, or use, the information on it, security professionals said.