HMRC stolen laptop, 400 victims, and encryption
Technorati Tag: Security Breach
Date Reported:
10/5/07
Organization:
HM Revenue & Customs (HMRC)(UK)
Contractor/Consultant/Branch:
None
Victims:
The customers of "several financial institutions".
Number Affected:
400
Types of Data:
"personal financial details"
Breach Description:
A laptop containing sensitive financial details of up to 400 customers of several financial institutions was stolen from the car of an HMRC employee on September 20th. The laptop was protected by "top level encryption".
Reference URL:
Machester Evening News Story
Report Credit:
Manchester Evening News
Response:
From the online article cited above:
"HM Customs and Revenue is investigating the incident after an employee's laptop was stolen from the boot of a car."
[Comfyllama] I feel like a dumb American because I don't know what a "boot of a car" is!
"The computer contained sensitive financial details of at least 400 people which had been passed to the HMRC by several financial institutions as part of an audit."
"HMRC confirmed that the computer, which disappeared overnight on September 20, did hold customer information but said it was protected by "top level encryption"."
[Comfyllama] Amen! A stolen laptop report with a laptop that was actually encrypted! If the "top level encryption" was implemented correctly and securely (see Commentary), then the people with information on the laptop have nothing to worry about.
"The incident has been reported to the police and we are carrying out an urgent internal inquiry."
"The Liontrust, a fund management company whose customers details were contained on the laptop, said their clients' investments were safe."
He said: "It has been an unfortunate incident on the part of the HMRC, but it is us that has been left to pick up the pieces."
[Comfyllama] Like I stated earlier, if the encryption was implemented correctly, there won't be many pieces to pick up.
Commentary:
I was very pleased to read that this HMRC laptop was encrypted. People who have read my previous posts know how much I preach the use of encryption. Now on to some encryption basics, most laptop encryption products on the market today use what is called private key encryption, where a key is used to "unlock" the encryption and allow the holder of the key to access the data. In most organizations a key is a password, which is the least secure method of authentication because many people write them down (even ON laptops!). If the password (private key) was written down on the laptop or with the laptop, then we have other issues. Follow?
All in all, bravo to HMRC.
Past Breaches:
Unknown
Date Reported:10/5/07
Organization:
HM Revenue & Customs (HMRC)(UK)
Contractor/Consultant/Branch:
None
Victims:
The customers of "several financial institutions".
Number Affected:
400
Types of Data:
"personal financial details"
Breach Description:
A laptop containing sensitive financial details of up to 400 customers of several financial institutions was stolen from the car of an HMRC employee on September 20th. The laptop was protected by "top level encryption".
Reference URL:
Machester Evening News Story
Report Credit:
Manchester Evening News
Response:
From the online article cited above:
"HM Customs and Revenue is investigating the incident after an employee's laptop was stolen from the boot of a car."
[Comfyllama] I feel like a dumb American because I don't know what a "boot of a car" is!
"The computer contained sensitive financial details of at least 400 people which had been passed to the HMRC by several financial institutions as part of an audit."
"HMRC confirmed that the computer, which disappeared overnight on September 20, did hold customer information but said it was protected by "top level encryption"."
[Comfyllama] Amen! A stolen laptop report with a laptop that was actually encrypted! If the "top level encryption" was implemented correctly and securely (see Commentary), then the people with information on the laptop have nothing to worry about.
"The incident has been reported to the police and we are carrying out an urgent internal inquiry."
"The Liontrust, a fund management company whose customers details were contained on the laptop, said their clients' investments were safe."
He said: "It has been an unfortunate incident on the part of the HMRC, but it is us that has been left to pick up the pieces."
[Comfyllama] Like I stated earlier, if the encryption was implemented correctly, there won't be many pieces to pick up.
Commentary:
I was very pleased to read that this HMRC laptop was encrypted. People who have read my previous posts know how much I preach the use of encryption. Now on to some encryption basics, most laptop encryption products on the market today use what is called private key encryption, where a key is used to "unlock" the encryption and allow the holder of the key to access the data. In most organizations a key is a password, which is the least secure method of authentication because many people write them down (even ON laptops!). If the password (private key) was written down on the laptop or with the laptop, then we have other issues. Follow?
All in all, bravo to HMRC.
Past Breaches:
Unknown
Posts Atom 1.0
Comments