BSkyB pensioner data on stolen Deloitte & Touche laptop
Technorati Tag: Security Breach
Date Reported:
10/9/08 (Updated 10/17/08)
Organization:
British Sky Broadcasting plc (BSky)
Transport Salaried Staff Association (Added 10/17)
Contractor/Consultant/Branch:
Deloitte & Touche LLP (UK)
Location:
United Kingdom
Victims:
Pensioners
Number Affected:
Unknown, at least 150,000 (Updated 10/17)
Types of Data:
"names, dates of birth and salary figures"
Breach Description:
"Details have emerged of a theft of a laptop containing pension details of BSkyB staff and other firms. The theft, involving an employee from the accountancy firm Deloitte, occurred last month."
Reference URL:
Computing
ITPRO
Report Credit:
Angelica Mari, Computing
Response:
From the online source cited above:
Details have emerged of a theft of a laptop containing pension details of BSkyB staff and other firms.
[Evan] OK, we got the fact that BSkyB staff members are affected, but who are the "other firms"?
The computer was taken from a Deloitte employee in September at a public place and contained names, dates of birth and salary figures to be used for audit work
BSkyB said the data did not include bank or address details and claimed it is highly unlikely that the information will be mishandled due to the laptop’s reliable data security set-up.
"The laptop was protected by a number of security measures, including passwords, user IDs and encryption of the majority of the information, so we are confident that the risk of data access or misuse is low," said a BSkyB spokeswoman.
[Evan] Encryption of the "majority" of information? It must stink to in the minority. Passwords and user IDs don't offer much comfort.
Both companies describe the incident as being an "opportunistic theft"
"The thief could not have been aware that the bag - which was not a laptop bag - contained a laptop and therefore the theft was not targeted," said BSkyB in a letter seen by Computing that was sent to all employees whose data may have been stored in the computer.
[Evan] Is this supposed to make people feel better? Security through obscurity, ugh.
Since the theft, the police have been informed and an investigation is underway.
Deloitte has changed user authentication details at its servers as a preventive measure.
The theft’s effect on the two companies’ relationship is not yet known, but Deloitte and BSkyB are reviewing procedures to minimise the risk of further such incidents.
Deloitte said it was working with the undisclosed firms affected.
[Evan] So we can probably expect more news around this incident.
"Deloitte has information security policies that include guidelines for employees to ensure they pay close attention to their laptops when in public places. Very unfortunately, this theft still occurred."
Commentary:
There is a lot of detail missing from the news reports cited above. What exactly was encrypted and what was not? It would also be good to know how the information was encrypted and more specifically how the secret key (likely a password) was/is secured. These would be among my primary concerns.
It is also important to note that Deloitte has a large Security & Privacy Services global group.
There was a comment posted on the Computing article that claims:
Past Breaches:
Deloitte & Touche:
December, 2007 - Deloitte & Touche and IKON lose confidential information
Date Reported:10/9/08 (Updated 10/17/08)
Organization:
British Sky Broadcasting plc (BSky)
Transport Salaried Staff Association (Added 10/17)
Contractor/Consultant/Branch:
Deloitte & Touche LLP (UK)
Location:
United Kingdom
Victims:
Pensioners
Number Affected:
Unknown, at least 150,000 (Updated 10/17)
Types of Data:
"names, dates of birth and salary figures"
Breach Description:
"Details have emerged of a theft of a laptop containing pension details of BSkyB staff and other firms. The theft, involving an employee from the accountancy firm Deloitte, occurred last month."
Reference URL:
Computing
ITPRO
Report Credit:
Angelica Mari, Computing
Response:
From the online source cited above:
Details have emerged of a theft of a laptop containing pension details of BSkyB staff and other firms.
[Evan] OK, we got the fact that BSkyB staff members are affected, but who are the "other firms"?
The computer was taken from a Deloitte employee in September at a public place and contained names, dates of birth and salary figures to be used for audit work
BSkyB said the data did not include bank or address details and claimed it is highly unlikely that the information will be mishandled due to the laptop’s reliable data security set-up.
"The laptop was protected by a number of security measures, including passwords, user IDs and encryption of the majority of the information, so we are confident that the risk of data access or misuse is low," said a BSkyB spokeswoman.
[Evan] Encryption of the "majority" of information? It must stink to in the minority. Passwords and user IDs don't offer much comfort.
Both companies describe the incident as being an "opportunistic theft"
"The thief could not have been aware that the bag - which was not a laptop bag - contained a laptop and therefore the theft was not targeted," said BSkyB in a letter seen by Computing that was sent to all employees whose data may have been stored in the computer.
[Evan] Is this supposed to make people feel better? Security through obscurity, ugh.
Since the theft, the police have been informed and an investigation is underway.
Deloitte has changed user authentication details at its servers as a preventive measure.
The theft’s effect on the two companies’ relationship is not yet known, but Deloitte and BSkyB are reviewing procedures to minimise the risk of further such incidents.
Deloitte said it was working with the undisclosed firms affected.
[Evan] So we can probably expect more news around this incident.
"Deloitte has information security policies that include guidelines for employees to ensure they pay close attention to their laptops when in public places. Very unfortunately, this theft still occurred."
Commentary:
There is a lot of detail missing from the news reports cited above. What exactly was encrypted and what was not? It would also be good to know how the information was encrypted and more specifically how the secret key (likely a password) was/is secured. These would be among my primary concerns.
It is also important to note that Deloitte has a large Security & Privacy Services global group.
There was a comment posted on the Computing article that claims:
"This has also affected every rail worker in the UK! We received an email about it this afternoon." - Posted by: A. Railworker, 09 Oct 2008
Past Breaches:
Deloitte & Touche:
December, 2007 - Deloitte & Touche and IKON lose confidential information
Posted by Evan Francen at 10/13/2008 1:03 PM 
Categories: Deloitte and Touche, British Sky Broadcasting, Stolen Laptop
Categories: Deloitte and Touche, British Sky Broadcasting, Stolen Laptop
Posts Atom 1.0
Comments