How Many Times Will This Happen?

  • Or is it a sign of the times and something that we'll have in the news on a regular basis for the next few years? Another laptop theft with data, this time from Hotels.com. It was actually an Ernst & Young laptop, the firm that audits hotels.com, but still.

    This makes me feel silly for complaining about JD Edwards laptops and the required Pointsec encryption we had to put on every laptop. I didn't like it at the time, but it wasn't a horrible intrusion and these days I think a necessary one.

    With all of the hype on identity theft, data privacy, and portable computers, I cannot believe that every company that allows any data to go outside of their physical office, whether on a backup tape or a laptop, doesn't require encryption or some type of protection. At least do something to protect it. Most thefts are random and the thief probably wasn't looking for credit card data, so a simple password might protect the data in most cases.

    If governments want to do something about identity theft and privacy, pass that law. Force everyone to encrypt their data and us in IT to come up with good ways to protect it. I didn't like encrypting backups with Litespeed, the only choice a few years ago, but it was worth it to protect backup tapes. Now with more choices at very reasonable prices, and MSDE/SQL Express able to use them, every database that contains individual data, and especially financial data, should have its backups encrypted.

    Steve Jones

  • Thanks for sharing this one. We're trying to institute a number of security policies on laptops within our organization and we've been meeting resistance, especially from development. Having stories like this to pass on to management is really going to be useful.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • I believe the hotels.com issue begs the question: Why would any company risk their reputation and/or business by allowing customer personal information to be placed on a third-party machine? If an auditor needs access to said data, they can do so with the data in place, through secured channels and with the full knowledge of the Security and DBA personnel of the company being audited. As one of the major signatories to a corporate annual report, should we not hold auditing firms to a higher standard than this?

    ------------
    Buy the ticket, take the ride. -- Hunter S. Thompson

  • I'm curious if and how large the business impact will be for hotels.com. I know I'll be far less apt to ever book a hotel with them, because they obviously had little or no data handling policy in place. At best, their policy was full of gaping holes. I suspect the day we see bottom line impacts in double digit percentage losses is the day we'll see good data handling become the norm.

  • Amen. We trust these people with our personal information (regardless what their legalese says in the privacy policy). The least they can do is use notebooks as what they're good for: windows into the corporate network, not workstations. A decent set of terminal servers at the edge of the VPN should be the furthest out that confidential data should go... It should never be permitted to be copied outside the confines of the corporate LAN/WAN.

     

     

    That said (out loud, many, many times to many people), nearly every client that I've consulted with in the past 24 months would rather hand me a flash disk or a DVD full of confidential, individual health care information or their proprietary financial data than to either let me onto their VPN and terminal servers (it apparently takes an act of the Bored Directors these days to let someone have remote access)... or heaven forbid, actually pay for the time required to create a representative test data set that doesn't use any of their clients' confidential information.

     

     

    Unfortunately, I think it may take SarbOx type legislation to get the corporate captains' attention on the privacy front.

  • I would like to see a major effort towards boycotting Hotels.com into bankruptcy; as long as we keep tolerating this type of abuse of our personal information, it will continue to happen.  If other companies were to witness the complete annihilation of a company at the hands of consumers angered at such a transgression against privacy then this might not be happening as much. 

     

    Sure, this sounds extreme, but I have been one three such lists of customers now where the data could not be accounted for in the last year alone! 

     

    I had some insight into how this can happen this week.  We have a contractor that has been asking for access into the production data for a system he is responsible for.  My boss gave him complete administrative access to every system we have instead of giving him access only to the system he needed.  Until I can get that barn door shut again, there is no telling what this contractor is going through and/or downloading to his laptop!

  • Passing some law stating that all companies must encrypt their data is useless. What's more damaging/liable, the Federal gov't fining you for not encrypting data that wasn't lost or stolen, or actually losing the data and suffering business and lawsuit consequences? Besides, having a law mandating encryption doesn't guarantee that any particular company will comply.

    The only "law" we need is one that forces companies to notify the public when there is a breech of confidential information. The market and civil legal system will take care of the rest.

  • Duh, securely encrypted virtual drives are easy to use (even some good free software). No brainer. And it works with USB chips too.

    On the other hand, while it may be good for Congress to establish legal responsibility for misplaced data, it is absolutely a bad idea for them to determine how protection is to be implemented.

     

    ...

    -- FORTRAN manual for Xerox Computers --

  • But what form would that legal responsibility take? The civil penalties are a joke. The civil actions only serve to enrich the attorneys involved.

     

    I found out yesterday that I'm part of two different classes in suits against a big wireless telecom provider [who shall remain nameless] and my remedy for fraudulent billing practices and overcharging is limited to some teensy billing credit for future services with said telecom or equivalent amounts of long distance calling cards for future services with said telecom. Being forced to continue doing business with them (even though I was blissfully unaware of the fact that I'd been wronged until yesterday) in order to receive my "remedy" doesn't seem like a good way to enforce responsibility...

     

    Having observed "captains of industry" up close, I have observed that they fear the bracelets of justice (handcuffs) but not really the loss of cash that can be written off as a cost of doing business. It just seems wrong to have to put SarbOx-type legislation in place everywhere just to keep people behaving well.

     

    I guess it's time to go re-read my copy of "Who stole my cheese?!"

  • Someone stole the laptop definitely was a fraud.  However, I remembered one time in my old company, one salesman went to the airport, while passing the security, you knew these day, we had to put the laptop on the bin, take off our shoes, our jacket, and put everything thru the x-ray machine while there were tons of people behind you. These days almost everyone has a laptop.  It just happened our salesman and the guy behind him had the exactly the same laptop.  After the x-ray, they tried to get their jackets, their shoes, their briefcase and their laptop.  They accidentially switched the laptop.  Of course no one thinks of putting their name on the laptop!  The salesman did not know until he arrived back to the office and turned on the laptop.  The security and PC dept went up the roof !  This is not a joke.

  • I wish the problem with identity theft were as "easily" solvable as encrypting all devices containing private data.  However, the real problem seems to be the freedoms that credit card companies, corporations, and other agencies take with OUR personal data.

    If the government were to pass laws placing the onus or the burden of identity theft on the credit card companies, corporations, etc. (where it belongs) that share, trade, or give away an individual's personal data, rather than on the individual, you bet you would see a dramatic downslide in the volume of identity thefts.

    While I understand that this entails a tremendous financial expenditure, the question that one needs to address is, "Well, who caused this problem to begin with?"

    Credit Burned Ed 

Viewing 12 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic. Login to reply