caslon elephant logo - link to home page title for Data Losses note

home | about | site use | services | guides | profiles | papers | timeline |::| Analysphere | Ketupa


overview

networks

tapes

laptops

sale

law

prevention

responses



















related pages icon
related
Guides:

Security &
InfoCrime

Consumers
& Trust





related pages icon
related
Profiles
& Notes:

ID Theft,
ID Fraud


















section heading icon     laptops and other devices

This page highlights recent examples of large scale exposure of sensitive consumer information through loss or theft of laptops and other devices.

It covers -

     introduction

Why is exposure of data through theft or misplacement of personal computers (desktop machines, laptops and PDAs) and other devices, including servers, an issue?

One reason is that those devices often contain substantial amounts of sensitive information in a readily usable form and without protection such as encryption of individual files or password protection to access the device. It's much easier to walk out of an office or a cafe with someone's laptop than it is to purloin 20 metres of paper files.

Another reason is that the characteristics that make laptops, PDAs and mobile phones so valuable to users - their portability, adaptability and potential to signify the owner's status - are characteristics attractive to thieves. Much theft appears to have an opportunistic basis; many thieves are interested in the device rather than the information it contains.

The NSW Bureau of Crime Statistics estimated in 2004 that 3.4% of laptops are stolen each year, arguably under-reporting because people without insurance often do not bother making a report. In 2000 the Australian Minister for Defence acknowledged that around 1.8% of the 7,000 laptops used across his portfolio went AWOL each year, claiming that "the portable computer loss rate in the private sector is much higher at between 10% and 15%".

That acknowledgement is useful as an indication that loss is not restricted to the private sector. In 2003 some 90 desktop and 25 laptop computers were either stolen or lost from Australian defence establishments, up from 73 laptops and 105 desktop machines in 2001 (of which 13 held classified information and three held commercially sensitive information). In 2000 the Defence Department reported that 54 laptops were lost and 73 stolen. Overall, in the 2001 financial year some 650 federal government computers were reported stolen, with 30 laptops missing from ASIO, the National Crime Authority and the Australian Federal Police. The UK Ministry of Defence reported that 594 laptops were lost or stolen from 1996 to 2003, with around 30% containing "sensitive" information. One MI5 employee famously lost his laptop after he put it on the ground while buying a train ticket.

     CRA (2004)

In 2004 the Canadian Revenue Agency (the equivalent of the federal ATO in Australia) reported the loss of six laptop and desktop devices from its Laval, Quebec office. One of the machines, used to test computer applications, contained around two million records from four confidential personal information databases. CRA notified over 120,000 affected individuals of the security breach.

     universities

In 2004 two University of California Los Angeles laptops were stolen. They contained unencrypted personal information concerning 145,000 blood donors and 62,000 health patients

A University of California Berkeley laptop stolen in 2005 held the social security numbers and other personal information about 98,369 graduates. During the same year a laptop containing data on 20,000 students and faculty in the Vermont State College system was stolen from a vacationing employee's locked car in Montreal. The laptop featured unencrypted names, addresses, Social Security numbers, payroll information and academic records on students. (One might question practice in taking such data in unprotected formats on vacation.)

     MCI, ACS and Omega (2005)

An MCI laptop stolen from an employee car in 2005 contained the names and social security numbers of 16,500 current and former MCI employees.

In 2005 thieves stole two computers from Motorola's HR services provider Affiliated Computer Services, with information on Motorola's US staff.

An Omega World Travel laptop stolen in 2005 contained names and credit card details of 80,000 customers, inc US Department of Justice employees

     NSWSTA (2005)

The NSW State Transit Authority, a government agency, auctioned 12 servers in 2005. One of the buyers discovered that the STA had fails to delete payroll and financial information, Sydney public transport passenger counts, ticketing system codes, incident reports and employee access PINs.

     Ameriprise and Fidelity (2005)

In 2005 an Ameriprise Financial laptop was stolen from an employee's parked car. It contained unencrypted lists with personal information of about 230,000 customers and advisers, including names and Social Security numbers of 70,000 current/former financial advisers and the names and internal account numbers of some 158,000 customers.

A year later Fidelity Investments reported the theft of a laptop containing personal information about 196,000 current and former HP employees.

The Fidelity email to those employees stated

This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and compensation

     YMCA (2006)

In 2006 the Providence (Rhode Island) YMCA lost a laptop containing unencrypted personal information about some 65,000 members. That data included credit card and debit card numbers, checking account information, Social Security numbers, the names and addresses of children in daycare programs and medical information about the children (eg allergies and the medicine they take).

     US VA, IRS and FTC (2006)

In May 2006 the US Government revealed that a Veterans Affairs laptop with personal data on 26.5 million veterans stolen from an official's home (PDF), with admission that employee had been taking home sensitive data for preceding three years. The data included names, birth dates, social security numbers, phone numbers and some addresses. VA offered to pay for a year of credit monitoring for the veterans, which it said would cost US$160.5 million (somewhat more than the cost of encrypting the data on the laptop). The device was recovered in June 2006 after a US$50,000 reward.

Later in 2006 the government announced that an Internal Revenue Service employee lost an agency laptop as luggage aboard a commercial flight. The device contained sensitive personal information on 291 workers and job applicants (including unencrypted names, birth dates, Social Security numbers and fingerprints) but was protected by a double-password system.

Shortly thereafter the Federal Trade Commission disclosed theft of two laptops containing personal and financial data on consumers. The data on 110 people was "gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers." The laptops were password protected, although the effectiveness of that protection is unclear.

     Hummingbird (2006)

Toronto software provider Hummingbird disclosed that an employee lost "a piece of computer equipment" that contained the names and social security numbers of 1.3 million American students. Those students were customers of Texas Guaranteed, a US non-profit entity that administers a family education loan program. Hummingbird had been hired to develop a document management system.

Hummingbird's CEO stated that

The privacy of customer data is of utmost importance to us and we take our responsibility to safeguard it very seriously. We deeply regret that this incident has occurred. ... We continue to investigate the facts surrounding this loss of information and are taking all necessary action in order to ensure that such occurrences do not happen in the future.

The device was password protected; the files were not encrypted.

     E&Y and ING (2006)

A laptop stolen from the trunk of an Ernst & Young employee's car contained the names and credit card numbers of some 243,000 customers of Hotels.com.

Although the loss occurred in February 2006, Ernst & Young was reportedly unable to determine what was on the device until early May, at which time it and Hotels.com began notifying affected individuals. Earlier in the year Ernst & Young had exposed data from Goldman Sachs; another lost E&Y laptop featured names and social security numbers of IBM, BP and Sun Microsystems staff.

The UK Register, in reporting on those incidents and loss of four E&Y laptops from a conference room in Miami while the staff were at lunch, sniffed that

Ernst and Young has failed to issue a public statement about these breaches despite being a major advocate of transparency in such issues in its role as an auditor and corporate advisor.

In responding to the Hotels.com theft E&Y stated that it had no reason to believe the thief was specifically seeking the information on the computer. It has since added new security protections to the laptops of its 30,000 employees in the US and Canada.

Later in 2006 a laptop containing personal data of 13,000 Washington DC workers and retirees was stolen from the home of an employee of ING US Financial Services. The device was not protected by a password or encryption. ING executives commented, as well they might, that they believed the laptop was stolen for its value as hardware and that thieves might not have been unaware of the data it contained.

For us, this is very unfortunate. But we're moving forward, we're very focused and committed to find any other laptops that don't have encryption software and to fix that. This incident revealed a gap.

Critics noted that ING should have been well aware of that gap, as two of its 5,000 laptops had been stolen in 2005. Those devices contained unencrypted sensitive data regarding 8,500 Florida hospital workers.

In 2006 an unencrypted hard drive was lost during shipping back to the American Institute of Certified Public Accountants (AICPA) by a computer repair company. The drive held the names, addresses and Social Security numbers of 330,000 AICPA members. Later in that year a laptop stolen from a Deloitte & Touche employee's car featured home addresses, phone numbers, Social Security numbers and salary information on 12,000 Armstrong World Industries employees.

     EDS and Mercantile Potomac (2006)

A laptop computer containing pension data of former employees of US supermarket chains Stop & Shop, Tops and Giant was lost by an EDS employee (and "may have been stolen") during a commercial flight in the US. The data included names, Social Security numbers, employee birth dates, benefit amounts and related administrative information. The device went as cargo rather than carry-on luggage. It was password-protected but the data was not encrypted.

EDS and its client Royal Ahold NV declined to say how many former employees were affected.

Bethesda-based Mercantile Potomac Bank anounced that a laptop containing Social Security and account numbers for nearly 50,000 customers was stolen from an employee's car.

     AIG (2006)

In June 2006 global insurance behemoth American International Group revealed that a burglar stole computer equipment in March from one of its US offices. That device contained personal information on 930,000 people, including names, Social Security numbers and some medical information.






icon for link to next page   next page (sale)

 


this site
the web

Google

version of July 2006
© Caslon Analytics