It is not known whether data on the stolen laptop was encrypted
St Albans Council loses fourth laptop this month
/v3-uk/news/1961648/st-albans-council-loses-fourth-laptop
16 Nov 2009, Rosalie Marshall , V3
A laptop has been stolen from St Albans District Council containing personal details on more than 14,000 local postal voters.
The information included the names, addresses, dates of birth and signatures of the 14,673 residents who applied for a postal vote in the June local election. The laptop was the fourth to be stolen from the council this month.
The council has said that the laptop did not contain details of votes cast, and was protected by two levels of security, according to reports in local paper the St Albans & Harpenden Review.
However, commentators have pointed out that, if the two levels of security are not strong enough, the personal data could be used for bank or credit card fraud.
Chris McIntosh, chief executive at hardware encryption specialist Stonewood, maintained that the data should have been encrypted, and that two layers of password protection will not put residents' minds at rest.
"We don't know what these two layers are, and if they're just simple log-in passwords then it is quite simply not good enough as they can be easily hacked, " he said.
"Organisations must start to understand the value of data and treat it accordingly. In cases like this where we are talking about personal data it must be encrypted to ensure that if a device is stolen the data cannot be accessed."
Data security firm CheckPoint suggested that the incident shows that organisations are overlooking the lessons of the past two years.
"In our recent survey of 135 public and private sector firms, over 50 per cent did not have any encryption in place to secure data on their laptops. This hasn't changed since the HMRC incident, so you have to wonder how many incidents it will take for the lessons to sink in," said Check Point northern Europe regional director Nick Lowe.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Protecting sensitive data means more than just having a good password policy
The data theft experienced by St Albans and Harpenden illustrates the importance of access control and ensuring that only authorised users can access networks and the systems attached to them, certainly sensitive information such as the data on these 14,673 voters should never be stored on hardware that could fall into the wrong hands.
As shown with other recent high profile data losses, weak network access controls ultimately lead to sensitive data being compromised. This latest incident could have been avoided by implemented and maintain tight access controls and using strong authentication techniques.
Protecting sensitive data means more than just having a good password policy. Limiting user access to just the applications and repositories they actually need are an important tool to combat unauthorised and malicious data access.
Posted by Stuart Hodkinson, UK Country Manager, Courion, 17 Nov 2009
Others take note!
The fact that this is the fourth laptop from St Albans Council to be stolen this month should act as a real wake-up call to similar organisations across the country. Short of locking them in a vault, laptops can and will be stolen. However, although councils may physically lose the laptop, the cost of losing thousands of identities can be considerably more expensive and time consuming. Councils across the country need to ensure that all data stored on these computers is securely encrypted by a 256-bit cipher at least. Added to this, it should be obligatory for councils to declare what IT security systems they have in place to protect their residents. That way, if another council is unfortunate enough to be hit with a similar spate of crime, they can rest assured that the critical information stored within cannot be accessed and sold for considerably more than the cost of a mere laptop.
Posted by Matt Fisher, FrontRange Solutions, 17 Nov 2009
The only way to prevent exposure is through deletion
Surprise, surprise. Another incident of data security negligence. I find it absolutely astonishing that the people in charge of these computers think that 'maybe there were two levels of encryption installed, and that maybe people won't be able to see the data stored on them'. I don't think that a 'maybe' is comforting enough for those who will suffer from this. The fact is that IT administrators in these organisations should KNOW for a FACT that data is not going to be exposed. We are only human, and mistakes like laptop loss are always going to happen, so make sure that when they do - you are properly prepared. There are now remote data encryption and deletion services available on the market. These managed services can range from automatic machine lockdown to immediate harddrive deletion that can be triggered remotely whenever a machine is thought to be compromised. After all, a standard encryption key can eventually be broken with the right tools and knowledge. The only way to ensure data can't be obtained is to delete it, full stop.
Posted by Harry Burton, Backup Direct, 18 Nov 2009