The Bord Gais story
First off, I am a Bord Gais (Irish Gas Board, now an electricity supplier) customer. I switched to them earlier this year to save money. I provided personal details about myself and my wife along with details of the bank account our bills get paid out of. So, my wife and I are almost certainly included in the 75000 people who have recently heard about how four laptops were stolen from the Bord Gais HQ two weeks ago, one of which had our personal data on it in an unencrypted form.
Oh… we are assured it was password protected. Forgive me if I don’t feel the love about that assurance. Passwords were made to be broken, and in my experience they are often not very strong. (“P@ssword”).
Everything reported in the media thus far suggests to me that this incident stems from yet another chronic failure to recognise the value of the “Information Asset” and treat it with the care and respect that it deserves.
What do we know?
- The laptops were stolen in a burglary.
Unless the burglars had ample time to wander around the headquarters of a blue chip company rifling presses looking for laptops, it would seem to me that the laptops were left on desks unsecured. A basic practice for the physical security of laptops is to either lock them away or take them home with you and secure them there. Leaving them sitting on your desk invites larceny.
- This laptop ‘fell through the cracks’ for installing encryption software
OK. Mistakes can happen. However a simple check for the existence of encryption software is an obvious preventative control that could have prevented the unencrypted laptop from being put out into use. Of course, just because there is encryption software on a laptop doesn’t mean that the user will actually encrypt their files in all cases.
Reliance on policy and technology without ensuring control, culture and people changes are implemented as well (such as changing work practices or giving the lowest techie the right to tell the CEO to bugger off if he wants his laptop before it is encrypted) invites a false and unwarranted sense of security.
Also, I am aware of one large company which has rolled out encryption on laptops, but only to senior management and primarily to protect documents relating to management strategy. The fact that the proletariat knowledge worker with a laptop can have spreadsheets a-plenty chock full of personal data doesn’t seem to have registered. They are protecting the wrong asset.
- The file was password protected
OK. Two points here… is it the file or the operating system? How secure is the password? If the password is on the file might the password be stored in a text file on the laptop, or in an email, or on a post-it note stuck to the lid?
Even if the spreadsheet (and inevitably it will be a spreadsheet) is password protected, there are a number of free utilitites for recovering passwords on Microsoft office documents. It took me all of 15 seconds to find some on Google.
MS Access is a little trickier, but where there is a will (and a basic knowledge of Access) there is a way.
When it comes to securing personal data, passwords should be seen as the last (and weakest) line of defence. Passwords, like promises, are all to easy to break.
- The break in happened 2 weeks ago
So, what we know from the media is that the thieves (or the people who eventually wound up with the laptops) have had 2 weeks to do the google searches I’ve done to find the tools necessaray to crack a password on a file.
they’ve had two weeks to go to market with their asset to see what price they can get. They’ve had two weeks to start applying for loans or credit cards.
What I know from the media now is that Bord Gais is more concerned with the Regulator and the Data Protection Commissioner than they are with their customers.
What I don’t yet know from the media
- What the fricking hell was my data doing on a laptop?
OK, so I’ll accept that there can be reasons for data to be taken onto laptops or local PCs from time to time (migrations, data profiling, reporting, remediation of compliance issues etc.).
But ALL the records and ALL the fields in those records? That’s just ridiculous.
And was that purpose consistent with the purposes for which I provided the data in the first place?
Having ALL the eggs in one unsecured basket invites loss and security breaches.
- Was the laptop securely stored or locked in any physical way?
I have to assume no on this one, but who knows… the theives may just have been very lucky that the first four presses they broke open happened to have laptops in them.
No amount of software security or business practice will prevent a theft if the actual physical security of the asset is not assured. The asset in this case isn’t the laptop (value no more than €600), but the data is worht a whole lot more.
75,0000 records at around €2.00 a record is an easy€150,000.
- Will Bord Gais compensate customers who suffer loss or damage through their negligence?
OOOh. Negligence is a strong word. But leaving unencrypted, unsecured data (yes it is password protected but that’s not much comfort) lying around is negligent. If I suffer loss or injury (such as being liable for a debt I didn’t incur or having my credit rating trashed, or having my identity stolen) will Bord Gais compensate me (without me having to sue them first)? (more…)