Laptop bought on eBay contained "highly confidential" Home Office disk
Technorati Tag: Security Breach
Date Reported:
2/28/07
Organization:
The Home Office (UK)*
*"The Home Office is the government department responsible for leading the national effort to protect the public from terrorism, crime and anti-social behaviour." - Source Home Office About Us page
Contractor/Consultant/Branch:
Leapfrog Computers
Victims:
N/A
Number Affected:
N/A
Types of Data:
Unknown - labeled "Home Office - highly confidential"
Breach Description:
A laptop reportedly purchased through eBay contained a CD marked "Home Office - highly confidential" under the keyboard and above the circuit board. The purchaser brought the computer to Leapfrog Computers in Westhoughton (UK) for repair where the technician discovered the encrypted compact disc.
Reference URL:
The Bolton Evening News
BBC News
Leapfrog Computers online statement
Report Credit:
Lee Bevan, Leapfrog Computers, brought to the attention of The Breach Blog by an informed reader
Response:
From the online sources cited above:
A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay.
The CD was found between the keyboard and circuit board of the laptop by computer repair technicians
[Evan] Obviously the CD was put under the laptop on purpose. But why and by whom?
Technicians at the shop called police who sent around anti-terrorist officers to confiscate the machine
The Home Office said investigations were under way into the incident.
The laptop had been taken into the Leapfrog Computers store by a customer who bought it on the internet auction site.
When engineers took off the keyboard they found a CD marked "Home Office - highly confidential".
Managing director Lee Bevan said: "I thought it was a spoof at first - I just figured someone was having a joke."
Mr Bevan put the disk into the drive to check it and found it was encrypted.
[Evan] I understand how curiosity can drive someone to put the disk in the drive to find out what is/was on it, but I wouldn't suggest doing this if it's marked "Home Office - highly confidential". Thankfully the disk was encrypted because this could have been a different story for Mr. Bevan had it not been.
Founder and managing director Lee Bevan contacted police, who spent three hours interviewing him.
Officers from Greater Manchester Police took the laptop and disk away but have now concluded their investigation
The Home Office — the government body responsible for maintaining law and order and fighting terrorism — confirmed the disc was genuine and said it was investigating the incident.
A Home Office spokesman said: "Both the laptop and the disk were encrypted, thus safeguarding any information that might be stored on them.
"Investigations are now under way. It would be inappropriate to comment further while they are ongoing."
Staff at Leapfrog are being finger-printed and having DNA swabs to rule them out of the investigation.
[Evan] Think the Home Office is taking this seriously? Uh, yeah I would say so.
Mr Bevan, aged 36, said: "The disc had been put inside the laptop on purpose. As soon as we found it, we contacted the police, who came immediately.
"I'm just glad it's turned up here rather than landing in the wrong hands.
"I don't know where the disc has come from. I have never seen a disc stored in this way before."
Commentary:
This is very interesting and mysterious. How did the disk get there, who put it there, and for what purpose? I wonder if the disk was put under the laptop keyboard in order to get it out of a building or other secure facility without being noticed. Some high security organizations will actually check baggage and drives for the existence of disks, thumb drives and other mobile media.
Q. What could have made this much worse?
A. If the data on the disk is/was actually "highly confidential", the disk was not encrypted, and someone with bad intentions found it. Encryption is a very good thing, but only as good as the key management process that goes along with it. For instance, full disk encryption can easily be defeated on a laptop with a Post-It note that says "Username: john.doe, Password: G3tMy!-Key". Get what I am saying?
Past Breaches:
Unknown
Date Reported:2/28/07
Organization:
The Home Office (UK)*
*"The Home Office is the government department responsible for leading the national effort to protect the public from terrorism, crime and anti-social behaviour." - Source Home Office About Us page
Contractor/Consultant/Branch:
Leapfrog Computers
Victims:
N/A
Number Affected:
N/A
Types of Data:
Unknown - labeled "Home Office - highly confidential"
Breach Description:
A laptop reportedly purchased through eBay contained a CD marked "Home Office - highly confidential" under the keyboard and above the circuit board. The purchaser brought the computer to Leapfrog Computers in Westhoughton (UK) for repair where the technician discovered the encrypted compact disc.
Reference URL:
The Bolton Evening News
BBC News
Leapfrog Computers online statement
Report Credit:
Lee Bevan, Leapfrog Computers, brought to the attention of The Breach Blog by an informed reader
Response:
From the online sources cited above:
A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay.
The CD was found between the keyboard and circuit board of the laptop by computer repair technicians
[Evan] Obviously the CD was put under the laptop on purpose. But why and by whom?
Technicians at the shop called police who sent around anti-terrorist officers to confiscate the machine
The Home Office said investigations were under way into the incident.
The laptop had been taken into the Leapfrog Computers store by a customer who bought it on the internet auction site.
When engineers took off the keyboard they found a CD marked "Home Office - highly confidential".
Managing director Lee Bevan said: "I thought it was a spoof at first - I just figured someone was having a joke."
Mr Bevan put the disk into the drive to check it and found it was encrypted.
[Evan] I understand how curiosity can drive someone to put the disk in the drive to find out what is/was on it, but I wouldn't suggest doing this if it's marked "Home Office - highly confidential". Thankfully the disk was encrypted because this could have been a different story for Mr. Bevan had it not been.
Founder and managing director Lee Bevan contacted police, who spent three hours interviewing him.
Officers from Greater Manchester Police took the laptop and disk away but have now concluded their investigation
The Home Office — the government body responsible for maintaining law and order and fighting terrorism — confirmed the disc was genuine and said it was investigating the incident.
A Home Office spokesman said: "Both the laptop and the disk were encrypted, thus safeguarding any information that might be stored on them.
"Investigations are now under way. It would be inappropriate to comment further while they are ongoing."
Staff at Leapfrog are being finger-printed and having DNA swabs to rule them out of the investigation.
[Evan] Think the Home Office is taking this seriously? Uh, yeah I would say so.
Mr Bevan, aged 36, said: "The disc had been put inside the laptop on purpose. As soon as we found it, we contacted the police, who came immediately.
"I'm just glad it's turned up here rather than landing in the wrong hands.
"I don't know where the disc has come from. I have never seen a disc stored in this way before."
Commentary:
This is very interesting and mysterious. How did the disk get there, who put it there, and for what purpose? I wonder if the disk was put under the laptop keyboard in order to get it out of a building or other secure facility without being noticed. Some high security organizations will actually check baggage and drives for the existence of disks, thumb drives and other mobile media.
Q. What could have made this much worse?
A. If the data on the disk is/was actually "highly confidential", the disk was not encrypted, and someone with bad intentions found it. Encryption is a very good thing, but only as good as the key management process that goes along with it. For instance, full disk encryption can easily be defeated on a laptop with a Post-It note that says "Username: john.doe, Password: G3tMy!-Key". Get what I am saying?
Past Breaches:
Unknown
Posts Atom 1.0
Comments