Saturday, December 16, 2006

Boeing Holds Employee Accountable in Laptop Theft

Laptops are stolen all the time - and far too often - they contain personal and financial information that can be used for identity theft purposes.

The Boeing Company announced Thursday that they fired the employee, who had their laptop stolen and compromised 400,000 people's personal information. This wasn't the first Boeing employee that lost a laptop containing sensitive information.

Boeing is saying that the computer was "password protected," and they believe the intent of the thief was to steal the laptop rather than breach the information on it. They are also saying that there is no evidence of identity theft, but are "assuming the worst case scenario."

I sometimes wonder if the same public relations firm prepares all these statements. They all say about the same thing - that there is no evidence the information has been used to commit "identity theft."

Of course, with all the attention brought upon this, even if the original motive was to steal a laptop, the thief probably is now aware the laptop contains a lot of information that can be sold for a price.

It's become pretty easy to find a place to sell stolen information with carder forums designed to do so operating on the Internet. Previous post, here.

The employee was terminated (fired) for not having the information "encrypted" per Boeing policy, which was implemented because of the earlier "laptop thefts."

Even if the information were encrypted - in theory at least - encrypted data can still be hacked by someone with the knowledge to do so. Another problem is that if information can be downloaded, it can be compromised by a dishonest insider, or with a "compromised password."

Just last week, the media was awash with stories of IT students being "courted" to work for organized criminal groups - which more and more - seem to be getting involved in technology based crimes, including "identity theft."

I did a post with my thoughts on this matter, here.

In all fairness, Boeing isn't the only organization losing laptops with personal information on them. The Privacy Rights Clearinghouse, which maintains a chronology of "known data-breaches," hit the 100 million mark this week (number of people compromised in the U.S., alone). Just this week, they documented eight "known" breaches.

Note, they can only document the "known breaches" and breaches that previously were "unknown" seem to be appearing, all too often.

Encryption and computer security measures are only one part of the solution. It's the information that the bad guys are after and we need to stop keeping it in places where it's too easily stolen.

Firing one employee is unlikely to have any impact on the overall problem.

James Wallace, Seattle PI has an extensive article about the Boeing story, here.

No comments: