Daily Mail publisher admits to stolen laptop
Technorati Tag: Security Breach
Date Reported:
7/4/08
Organization:
Daily Mail and General Trust plc
Contractor/Consultant/Branch:
Northcliffe Media
Associated Newspapers Ltd
Victims:
Staff, suppliers and contributors
Number Affected:
"thousands"
Types of Data:
"name, address, bank account number and bank sort code"
Breach Description:
"Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen."
Reference URL:
ComputerWorldUK
Guardian News (UK)
Guardian News (UK) additional info
Report Credit:
Guardian Newspaper
Response:
From the online sources cited above:
Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen.
A Daily Mail & General Trust spokeswoman said: "DMGT confirms that a laptop company computer containing certain confidential information was stolen last week.
After months of criticising "criminally careless" government departments for losing confidential records, the company has been forced to send out an embarrassing letter telling journalists they may now be at risk of identity theft
[Evan] This is the same Daily Mail managed by Associated Newspapers that according to The Guardian "has been at the forefront of coverage of the recent bank and government department missing data scandals". It would be very difficult for Associated Newspapers to claim that they didn't know any better than to store confidential information on a poorly protected laptop.
Details such as names, addresses, bank account numbers and sort codes were on the laptop
the laptop was "password protected" but tell recipients to contact their banks and also "consult the government website ... for advice on avoiding or dealing with identity theft"
[Evan] The mention of password protection is nothing more than an effort to minimize the effect of the breach. It does very little (if anything) to protect the personal information.
In a letter to those who details were affected, Simon Dyson, finance director at Daily Mail publisher Associated Newspapers, and Martyn Hindley, his counterpart at sister company Northcliffe, said it was likely that the details had been erased by the thief.
[Evan] How is the conclusion drawn? I don't see how there could be enough information to determine what the thief was likely to do.
From the letter to affected persons from the Associated Newspapers group finance director, Simon Dyson, and his Northcliffe counterpart, Martyn Hindley:
"Unfortunately one of the company's laptops has been stolen."
"The contents included personal data, some of which related to you."
"The laptop was password-protected. "
[Evan] So what? This won't adequately protect the information on the laptop, so why mention it?
"We are writing to you as quickly as possible to alert you to the fact that the theft has happened and to inform you of the data types lost, so that you can take appropriate action."
[Evan] I guess we should give some credit for the quick notification, if nothing else.
"In your case, your name, address, bank account number and bank sort code were the sensitive information lost."
"The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen."
[Evan] This is nothing more than speculation. I can't imagine that there are any specific facts for which this conclusion is based on.
"We have, of course, notified the police of the theft of the laptop and are talking to the Office of the Information Commissioner about what has happened."
"On behalf of the company, I would like to offer my sincere apologies for any annoyance and inconvenience to you that this breach of security may cause."
"I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures."
[Evan] This breach was caused by a "technical issue"? Like what? I presume that the technical aspects surrounding this breach were working exactly as they were designed to in the manner of which that they were implemented. Without further elaboration, "strengthened procedures" is subjective and means little. Organizations should offer details, instead of general statements in order to bolster some sense of confidence.
Commentary:
This breach must be embarrassing for Associated Newspapers. A breach like this should be embarrassing for any organizations. Unencrypted lost of stolen laptops storing personal (or other confidential) information is a pretty well-known risk nowadays. An unacceptable risk for most.
Past Breaches:
Unknown
Date Reported:7/4/08
Organization:
Daily Mail and General Trust plc
Contractor/Consultant/Branch:
Northcliffe Media
Associated Newspapers Ltd
Victims:
Staff, suppliers and contributors
Number Affected:
"thousands"
Types of Data:
"name, address, bank account number and bank sort code"
Breach Description:
"Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen."
Reference URL:
ComputerWorldUK
Guardian News (UK)
Guardian News (UK) additional info
Report Credit:
Guardian Newspaper
Response:
From the online sources cited above:
Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen.
A Daily Mail & General Trust spokeswoman said: "DMGT confirms that a laptop company computer containing certain confidential information was stolen last week.
After months of criticising "criminally careless" government departments for losing confidential records, the company has been forced to send out an embarrassing letter telling journalists they may now be at risk of identity theft
[Evan] This is the same Daily Mail managed by Associated Newspapers that according to The Guardian "has been at the forefront of coverage of the recent bank and government department missing data scandals". It would be very difficult for Associated Newspapers to claim that they didn't know any better than to store confidential information on a poorly protected laptop.
Details such as names, addresses, bank account numbers and sort codes were on the laptop
the laptop was "password protected" but tell recipients to contact their banks and also "consult the government website ... for advice on avoiding or dealing with identity theft"
[Evan] The mention of password protection is nothing more than an effort to minimize the effect of the breach. It does very little (if anything) to protect the personal information.
In a letter to those who details were affected, Simon Dyson, finance director at Daily Mail publisher Associated Newspapers, and Martyn Hindley, his counterpart at sister company Northcliffe, said it was likely that the details had been erased by the thief.
[Evan] How is the conclusion drawn? I don't see how there could be enough information to determine what the thief was likely to do.
From the letter to affected persons from the Associated Newspapers group finance director, Simon Dyson, and his Northcliffe counterpart, Martyn Hindley:
"Unfortunately one of the company's laptops has been stolen."
"The contents included personal data, some of which related to you."
"The laptop was password-protected. "
[Evan] So what? This won't adequately protect the information on the laptop, so why mention it?
"We are writing to you as quickly as possible to alert you to the fact that the theft has happened and to inform you of the data types lost, so that you can take appropriate action."
[Evan] I guess we should give some credit for the quick notification, if nothing else.
"In your case, your name, address, bank account number and bank sort code were the sensitive information lost."
"The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen."
[Evan] This is nothing more than speculation. I can't imagine that there are any specific facts for which this conclusion is based on.
"We have, of course, notified the police of the theft of the laptop and are talking to the Office of the Information Commissioner about what has happened."
"On behalf of the company, I would like to offer my sincere apologies for any annoyance and inconvenience to you that this breach of security may cause."
"I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures."
[Evan] This breach was caused by a "technical issue"? Like what? I presume that the technical aspects surrounding this breach were working exactly as they were designed to in the manner of which that they were implemented. Without further elaboration, "strengthened procedures" is subjective and means little. Organizations should offer details, instead of general statements in order to bolster some sense of confidence.
Commentary:
This breach must be embarrassing for Associated Newspapers. A breach like this should be embarrassing for any organizations. Unencrypted lost of stolen laptops storing personal (or other confidential) information is a pretty well-known risk nowadays. An unacceptable risk for most.
Past Breaches:
Unknown
Posted by Evan Francen at 7/5/2008 12:47 PM 
Categories: Daily Mail and General Trust, Stolen Laptop, Northcliffe Media, Associated Newspapers
Categories: Daily Mail and General Trust, Stolen Laptop, Northcliffe Media, Associated Newspapers
Posts Atom 1.0
Comments