The site pogowasright.org has a link to a letter of notification to the Maryland Attorney General from Exeter Trust Company. According to the letter,
According to the notification letter, an employee of a third party vendor hired by IBT stole a computer tower that contained four million internal e-mails with sensitive details like names, Social Security numbers, and checking account numbers. Since one assumes these e-mails would have to be gone through one by one, it’s not wonder that it took
A computer tower, eh? I haven’t heard that term in ten years. If they’re referring to what I think they’re referring, we’re talking about something that is about two feet or more in height. Not an easy thing to lug around. Stealing one of those would definitely require an insider’s help. Which goes to show that form factor is not to be relied upon for security.
The question, as far as I’m concerned, is “would full disk encryption have helped in this case?” I’m going to assume that file encryption would have been a less than ideal solution, just because of the massive number of e?mails to be protected. I just know someone somewhere would have forgotten to encrypt at least one e-mail. It’s just the nature of things.
Why am I even questioning the effectiveness of hard drive encryption? Quite obviously, because an insider was involved. Hmm… I probably should note that this employee is technically not an insider. Yes, he was physically inside the venue where the computer was located; that much is clear. However, whether he was working on the computer, or next to the computer—we don’t have that detail. After all, he wasn’t an employee at
And therein lies the problem. If he was working next to the computer, full disk encryption would have protected the e-mails and any other data stored on that computer. One assumes that the username and password for decrypting the information wouldn’t have been taped to the bottom of the keyboard, for example. If the thieving employee had worked on the computer, then that means he had access to the data begin with, and full disk encryption would have been of limited protection. I say “limited” because encryption solutions like AlertBoot—which use a centrally?managed console to control the encryption of computers and access by employees—would have given
What’s really tragic about this story is that