Citizens Advice stolen laptop was encrypted
Technorati Tag: Security Breach
Date Reported:
12/11/07
Organization:
Citizens Advice
Contractor/Consultant/Branch:
None
Victims:
Clients from the Belfast area
Number Affected:
60,000
Types of Data:
Name, address, date of birth, and national insurance number*. In a number of cases, financial data.
*A National Insurance number is roughly equivalent to a U.K. version of an American Social Security number.
Breach Description:
A laptop computer was stolen from an employee of Citizens Advice (UK) that contained sensitive personal information about people who sought advice from the bureau. The laptop was stolen early on December 5th, 2007 and mainly affects clients from the Belfast area. According to Citizens Advice, the laptop was encrypted.
Reference URL:
News story at The Register (UK)
U.TV News Report
Report Credit:
U.TV
Response:
From the online sources cited above:
A laptop containing client information has been stolen from the car of an employee of Citizens Advice in Northern Ireland.
Up to 60,000 client records are held on the computer, which was stolen in the early hours of 5 December 2007. According to Citizens Advice in Northern Ireland, the data stored relates to people from the Belfast area who have sought advice from a Citizens Advice Bureau office within the city.
most records would include name, address, date of birth, and national insurance number
some financial information is also recorded, including the client's bank account number
[Evan] Ugh! Seems like a lot of personal data on one laptop!
the data was protected by three levels of security, including a high level of encryption.
[Evan] Sweet Child! Encryption at last.
"It is highly unlikely that a criminal will be able to access the data, but people who have used Citizens Advice in the Belfast area should check for anything unusual,", Citizens Advice chief executive Derek Alcorn
"It is a fundamental principle of Citizens Advice that people are able to deal with us in confidence. The theft of this laptop is highly regrettable, but given that the potential always exists for the theft of data, we have always sought to ensure that information is secured as strongly as possible through modern encryption systems.", Alcorn
In addition to writing to all those affected and providing appropriate advice, an 0800 helpline has been established to provide immediate advice to any individual. The organisation has also said it will commission an external, high level and independent review of its policies, procedures, and data protection.
Commentary:
This is refreshing, an ENCRYPTED stolen laptop! The data on this laptop is useless to anyone without the key. I don't know the details of which encryption product that Citizens Advice has chosen to use on their laptops, but I assume it is a commercial solution such as Utimaco or Pointsec. Kudos to Citizens Advice for their proactive decision to encrypt sensitive data on a laptop.
Good commercial versions of "whole disk" laptop encryption software will protect against slaving the hard drive to another computer (thus bypassing password protection) and provide a replacement logon GINA (thus providing reasonable protection against password cracking). I have had the pleasure to use both Utimaco and Pointsec in different deployments, and both offer valuable features. The key is key management (no pun intended).
Assuming that key management is handled securely (i.e. no password written on the laptop), then we MAY be able to assume that the confidentiality of the data on the laptop was not compromised. I am not close enough to the investigation to know.
An added benefit to laptop encryption is some regulations include "safe harbor" statements that could save serious money and embarrassment. If you have a questions or concerns about laptop encryption, or other information security issues, send us a note at The Trusted Toolkit
Past Breaches:
Unknown
Date Reported:12/11/07
Organization:
Citizens Advice
Contractor/Consultant/Branch:
None
Victims:
Clients from the Belfast area
Number Affected:
60,000
Types of Data:
Name, address, date of birth, and national insurance number*. In a number of cases, financial data.
*A National Insurance number is roughly equivalent to a U.K. version of an American Social Security number.
Breach Description:
A laptop computer was stolen from an employee of Citizens Advice (UK) that contained sensitive personal information about people who sought advice from the bureau. The laptop was stolen early on December 5th, 2007 and mainly affects clients from the Belfast area. According to Citizens Advice, the laptop was encrypted.
Reference URL:
News story at The Register (UK)
U.TV News Report
Report Credit:
U.TV
Response:
From the online sources cited above:
A laptop containing client information has been stolen from the car of an employee of Citizens Advice in Northern Ireland.
Up to 60,000 client records are held on the computer, which was stolen in the early hours of 5 December 2007. According to Citizens Advice in Northern Ireland, the data stored relates to people from the Belfast area who have sought advice from a Citizens Advice Bureau office within the city.
most records would include name, address, date of birth, and national insurance number
some financial information is also recorded, including the client's bank account number
[Evan] Ugh! Seems like a lot of personal data on one laptop!
the data was protected by three levels of security, including a high level of encryption.
[Evan] Sweet Child! Encryption at last.
"It is highly unlikely that a criminal will be able to access the data, but people who have used Citizens Advice in the Belfast area should check for anything unusual,", Citizens Advice chief executive Derek Alcorn
"It is a fundamental principle of Citizens Advice that people are able to deal with us in confidence. The theft of this laptop is highly regrettable, but given that the potential always exists for the theft of data, we have always sought to ensure that information is secured as strongly as possible through modern encryption systems.", Alcorn
In addition to writing to all those affected and providing appropriate advice, an 0800 helpline has been established to provide immediate advice to any individual. The organisation has also said it will commission an external, high level and independent review of its policies, procedures, and data protection.
Commentary:
This is refreshing, an ENCRYPTED stolen laptop! The data on this laptop is useless to anyone without the key. I don't know the details of which encryption product that Citizens Advice has chosen to use on their laptops, but I assume it is a commercial solution such as Utimaco or Pointsec. Kudos to Citizens Advice for their proactive decision to encrypt sensitive data on a laptop.
Good commercial versions of "whole disk" laptop encryption software will protect against slaving the hard drive to another computer (thus bypassing password protection) and provide a replacement logon GINA (thus providing reasonable protection against password cracking). I have had the pleasure to use both Utimaco and Pointsec in different deployments, and both offer valuable features. The key is key management (no pun intended).
Assuming that key management is handled securely (i.e. no password written on the laptop), then we MAY be able to assume that the confidentiality of the data on the laptop was not compromised. I am not close enough to the investigation to know.
An added benefit to laptop encryption is some regulations include "safe harbor" statements that could save serious money and embarrassment. If you have a questions or concerns about laptop encryption, or other information security issues, send us a note at The Trusted Toolkit
Past Breaches:
Unknown
Posts Atom 1.0
Comments