One of the most vulnerable links in your security infrastructure is an unattended parking space.
Data potentially compromised through vehicle break-ins is a recurring theme in the Privacy Rights Clearinghouse Database, which keeps a detailed, running record of security breaches and their impact. Think of it as the police blotter of the Internet era.
In September, a laptop containing 5,000 records from the LSU Health New Orleans School of Medicine got pinched from a doctor’s car parked in front of his house. In October, the University of Oklahoma College of Medicine, Department of Obstetrics & Gynecology, had to notify select patients that records pertaining to their health from 2009 and 2014 were on a laptop stolen from a car.
Ironically, another recent victim of car laptop theft was a company specializing in conducting security background checks.
Don’t leave laptops in cars is the first, but arguably also the easiest, lesson for companies to learn when it comes to stemming the damage that can be caused by computer theft. An estimated 187 million records have been potentially compromised through 1,872 incidents of lost, stolen or inadvertently discarded systems since 2005, according to the Clearinghouse database—and those are only the incidents reported to the organization.
Some other rules of the road:
- It’s Not Just Laptops. External hard drives with sensitive information have been lifted from a sleep clinic in San Diego, a school district, a CPA firm, and a credit union, among other places. Payroll, SSNs and other information were on a stolen USB flash drive from a services firm in Ohio. In Northridge, California, thieves made off with a Point-of-Sale system that contained financial information SSNs and other employee information.
- The Information, Not the Hardware, Often Seems to be the Target. Lawyers, doctors and accountants are some of the more frequent victims on the list, but you also see schools, retail outlets and banks. The prominent presence of accountants and tax preparers is interesting: false IRS tax returns filed with stolen SSNs are on the rise. That information can become the raw material for identity theft.
Core technology can be compromised too: In 2014, the FBI warned that hackers were targeting healthcare and medical device companies for intellectual property.
- The Penalties Can Be Substantial. Laptop theft can trigger potential liabilities under Sarbanes-Oxley, the Healthcare Information Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act and other regulations. In 2009, BlueCross BlueShield of Tennessee was fined $1.5 million(and spent $17 million in remedial actions) after 57 unencrypted hard drives containing records pertaining to nearly one million patients were stolen from a storage closet.
- Even Really Smart People Can Be Hit.In 2012, ComputerWorld reported that a laptop stolen from a NASA employee’s car potentially compromised the personal information of 10,000 employees. “Although the laptop was password protected, it did not have whole disk encryption software, meaning the information on the laptop could be accessible to unauthorized individuals,” Richard Keegan, NASA associate deputy administrator warned in an email to NASA employees.
- Make Sure You Enforce Security Policies.In 2014, a thief walked into Coke’s Atlanta headquarters and left with 74,000 digital employee records that included Social Security numbers, license numbers and other information, according to the Wall Street Journal. Despite internal policies requiring encryption, the laptop’s information was unencrypted.
So what can you do? Besides the usual precautions, encryption can put a huge dent in the problem by making stored information unintelligible to intruders. Like anything else, encryption systems can be hacked, but it takes money, time and brute force computing.
Self-encrypting drives further help by (1) minimizing the performance impact by offloading encryption to specialized hardware and (2) taking humans out of the picture. Coughlin Associates predicts that a large proportion of solid state drives are already self-encrypting capable and the technology will be nearly universal 2018.
“Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting,” security expert Bruce Schneier wrote in his blog.
And take your laptop with you.
Eyal Bek is Director of Product Marketing for Client SSDs at SanDisk Corporation.
This article expresses the views of the author and not necessarily that of his employer.