The past week I’ve been following up on the lack of drive encryption software on six laptops (originally believed to be seven) that were stolen from the office of the accounting firm of Vavrinek, Trine, Day and Co. I thought I’d post a quick update on new revelations.
The story originally broke when the Borrego Springs Bank sent out an alert. Earlier this week, more details were revealed, including the name of the accounting firm that was in charge of external auditing for Borrego Springs Bank. It was also revealed then that there wasn’t any hard disk encryption on the stolen laptops.
A Quick Update
It looks like another bank has gone public about the incident as well. According to this story, Mission Bank in Arizona has also alerted their customers about the incident, although they failed to reveal the name of the independent auditing firm that was responsible for the breach.
It’s easy to tell that it’s the same incident as that of the Borrego Springs Bank, though, because of the details that are provided:
Break-in into auditing firm’s office on March 10
Six password-protect laptops stolen
Auditing firm (an accounting firm) office was in Orange County, California
It looks like the administrators of the databreaches.net site are also making the assumption that this is related to the Vavrinek incident.
Details that weren’t published previously:
The accounting firm is a “big regional firm,” according to Mission Bank president Darrell Lautaret
The police believe it was a smash and grab operation–although, I’d say that smashing and grabbing doesn’t preclude it from being a planned incident
Roughly 50 other banks were affected
Wow. The accounting guys were also dealing with fifty other banks, and their only security was a window? Well, I’m guessing that it was more than a window–they probably had security services similar to ADT securing the window.
However, as the incident shows, there’s a flaw when, erm, using services like ADT to secure data: the response time. Mind you, ADT’s response time is great. I know of it first hand, from when I forgot the security codes to the office…but, there is a delay (a short one) between the time of the beak-in and when security shows up. Depending on the environment, a thief could be long gone.
And, of course, if ADT was protecting the premises, it behooves us to point out that it wasn’t really hired to secure data, which is requires an entirely separate approach from protecting physical objects.
Seems to me that with every new revelation so far, the accounting firm seems to have exercised poor judgment when it comes to their data security. If they had just spent a couple of hours installing data encryption software…