Last week, the Bank of Ireland (BoI) had announced that four laptop computers lost over the past year or so could have affected 10,000 customers. The BoI has updated the number of customers affected to over 30,000, per the investigation they were conducting after the announcement.
There has been a lot of criticism on the BoI’s actions, or lack thereof: they had waited nearly a year to alert their customers about the increased risk of identity theft they were facing. The BoI for its part countered the criticism by saying that they didn’t want to alert the thieves about the true worth of the stolen laptop computers.
Today’s revelation by the BoI is not really surprising. Similar post?announcements have been conducted in the past when other organizations have had to revise the number of affected clients affected by stolen computers, be they laptops or otherwise.
Gaffes like these arise for quite simple reasons, really: we never have a complete of idea what’s in our computers, and furthermore, in individual files. Even when people have to follow a strict policy on what type of data is allowed on a computer, people will often ignore said policies. The reasons may run the gamut from “ignoring the idiots in IT” to “just not paying attention.”
And that last one is not necessarily a sign of incompetence. For example, I remember once receiving a spreadsheet full of customer names and other data from a client. Neither he nor I noticed that three individual columns contained sensitive customer information that had no bearing on the business at hand, and to which I certainly should not have had access to. Why was it included? Because the columns were hidden, that’s why. Hiding three columns out of 27 is not something that’s easily noticeable. (And if what I read about human psychology is true, people don’t notice that something is missing unless they’re actively looking for it. I have to admit that I wasn’t looking for hidden columns. My guess is my client wasn’t either—he was probably looking to see if a column with sensitive data was showing up.)
I think it’s pretty much established that people will save and download data locally regardless of what written policies are in place. And this is the reason why full disk encryption may work better for data security purposes than file encryption. Both have their pros and cons (and ideally you want to combine their use, the reason why both are offered if you sign up with AlertBoot), but whole disk encryption’s strength lies in the fact that it encrypts everything residing in the hard disk. Let me emphasize that again: residing in the hard disk. If you e-mail a document stored in the disk to someone else, the file is not encrypted anymore; for encrypting a file you need (tada!) file encryption.
Plus—unlike file encryption—once you have hard drive encryption in place, you never have to do anything extra to ensure information security (well, with the exception of changing your access passwords once in a while).
Full disk encryption was designed for those instances where the disk itself is lost—meaning, generally, when a computer is lost and stolen. If the BoI had safeguarded the contents of those four stolen laptops with full disk encryption, it wouldn’t have mattered whether 10,000 customer records or 30,000 of them were residing in the stolen machines.