The Bord Gais story
First off, I am a Bord Gais (Irish Gas Board, now an electricity supplier) customer. I switched to them earlier this year to save money. I provided personal details about myself and my wife along with details of the bankÂ account our bills get paid out of. So, my wife and I are almost certainly included in the 75000 people who have recently heard about how four laptops were stolen from the Bord Gais HQ two weeks ago, one of which had our personal data on it in an unencrypted form.
Oh… we are assured it was password protected. Forgive me if I don’t feel the love about that assurance. Passwords were made to be broken, and in my experience they are often not very strong. (“P@ssword”).
Everything reported in the media thus far suggests to me that this incident stems from yet another chronic failure to recognise the value of the “Information Asset” and treat it with the care and respect that it deserves.
What do we know?
- The laptops were stolen in a burglary.
Unless the burglars had ample time to wander around the headquarters of a blue chip company rifling presses looking for laptops, it would seem to me that the laptops were left on desks unsecured.Â A basic practice for the physical security of laptops is to either lock themÂ away or take them home with you and secure them there. Leaving them sitting on your desk invites larceny.
- This laptop ‘fell through the cracks’ for installing encryption software
OK. Mistakes can happen. However a simple check for the existence of encryption software is an obvious preventative control that could have prevented the unencrypted laptop from being put out into use.Â Of course, just because there is encryption software on a laptop doesn’t mean that the user will actually encrypt their files in all cases.
Reliance on policy and technology without ensuring control, culture and people changes are implemented as well (such as changing work practices or giving the lowest techie the right to tell the CEO to bugger off if he wants his laptop before it is encrypted) invites a false and unwarranted sense of security.
Also, I am aware of one large company which has rolled out encryption on laptops, but only to senior management and primarily to protect documents relating to management strategy. The fact that the proletariat knowledge worker with a laptop can have spreadsheets a-plenty chock fullÂ of personal data doesn’t seem to have registered. They are protecting the wrong asset.
- The file was password protected
OK. Two points here… is it the file or the operating system? How secure is the password? If the password is on the file might the password be stored in a text file on the laptop, or in an email, or on a post-it note stuck to the lid?
Even if the spreadsheet (and inevitably it will be a spreadsheet) is password protected, there are a number of free utilitites for recovering passwords on Microsoft office documents. It took me all of 15 seconds to find some on Google.
MS Access is a little trickier, but where there is a will (and a basic knowledge of Access) there is a way.
When it comes to securing personal data, passwords should be seen as the last (and weakest) line of defence.Â Passwords, like promises, are all to easy to break.
- The break in happened 2 weeks ago
So, what we know from the media is that the thieves (or the people who eventually wound up with the laptops) have had 2 weeks to do the google searches I’ve done to find the tools necessaray to crack a password on a file.
they’ve had two weeks to go to market with their asset to see what price they can get. They’ve had two weeks to start applying for loans or credit cards.
What I know from the media now is that Bord Gais is more concerned with the Regulator and the Data Protection Commissioner than they are with their customers.
What I don’t yet know from the media
- What the fricking hell was my data doing on a laptop?
OK,Â so I’ll accept that there can be reasons for data to be taken onto laptops or local PCs from time to time (migrations, data profiling, reporting, remediation of compliance issues etc.).
But ALL the records and ALL the fields in those records? That’s just ridiculous.
And was that purpose consistent with the purposes for which I provided the data in the first place?
Having ALL the eggs in one unsecured basket invites loss and security breaches.
- Was the laptop securely stored or locked in any physical way?
I have to assume no on this one, but who knows… the theives may just have been very lucky that the first four presses they broke open happened to have laptops in them.
No amount of software security or business practice will prevent a theft if the actual physical security of the asset is not assured. The asset in this case isn’t the laptop (value no more than â‚¬600),Â but the data is worht a whole lot more.
75,0000 records at around â‚¬2.00 a record is an easyâ‚¬150,000.
- Will Bord Gais compensate customers who suffer loss or damage through their negligence?
OOOh. Negligence is a strong word. But leaving unencrypted, unsecured data (yes it is password protected but that’s not much comfort) lying around is negligent. If I suffer loss or injury (such as being liable for a debt I didn’t incur or having my credit rating trashed, or having my identity stolen) will Bord Gais compensate me (without me having to sue them first)?
What needs to be learned?
Information is an assset and needs to be treated as such. The actions of companies and their employees when handling personal data should pass what I call “The Money Test”;
If this data was my money would I be happy with the steps I’m taking to secure it?
- Would you be happy leaving piles of your cash lying on your desk when you go home at night? Or would you lock it away?
- Would you carry ALL your money around in you in a bag that has “MONEY” written on the side of it? Or would you take just what you need for the immediate purposes?
- Would you leave that bag of money lying around unsecured, or would you tie it to your desk, lock it in your drawer, or put it in a bank (where all the money should live) for safety?
- Would you entrust the safety of your money to a cheap cashbox with a lock that could be picked with the right tool (a hammer or a hair clip)? Or would you put your money in the bank where strong locks and additional security would keep it safe?
Note: It is YOUR money I’m talking about, not your company’s. To my mind, Bord Gais has failed the Money Test.
It’s not Bord Gais’s Information Asset… it is mine, I just loaned it to them
The personal data that customers give to their suppliers is given on trust, not traded. My name and address and bank account details did not become Bord Gais’s property when I became their customer. They remain my property. I have just loaned them to Bord Gais soÂ they can give me electricity in exchange for money.
Increasingly it will be the case that if you lose the customer records, eventually you will lose the customers because the fundamental trust element of the relationship is no longer there.
Waiting two weeks to tell customers is the wrong approach
If, two weeks ago, Bord Gais had communicated with its customers that this loss of personal data had occured then they could have emphasised that they were putting the customer first and seeking to ensure that their customers were able to get ahead of any potential issues that might arise.
Announcing it now is a bit late and smacks to me of either trying to down play the issue with the Data Protection Commissioner (who, in fairness, was initially under the assurance that the data was encrypted, which does reduce the risk), or trying to make the problem go away, or management not understanding or being aware of the gravity of the situation (for example, how long exactly did it take Bord Gais to realise that the laptop was not encrypted?)