Hard Drive Encryption: Yorkshire Building Society Laptop Loss Snafu Involves Multiple Errors.

A laptop belonging to Yorkshire Building Society shows classic signs of terrible approaches to information security: lack of disk encryption software, passwords being written down and kept with the laptop, and more data than necessary stored in the computer.  In the end, the computer was retrieved, but this is more luck than anything.

Oh, my.  Where to Begin

One thing to note before we begin.  Yorkshire Building Society (YBS) is a recent merger of two companies: Yorkshire Building Society and Chelsea Building Society (building societies are financial institutions that focus on mortgages).  It seems that the problems stemmed from the Chelsea side, since the stolen laptop belonged to them.

Furthermore, the Yorkshire already has a policy of encrypting all laptops, something that the Chelsea operations did not have in place, apparently.

The gist of the story:  an employee with Chelsea returns his laptop, which he was using at home and chock full of customer data, because a manager asks him to.  The manager, with Chelsea, writes down the password to the laptop and places it into the laptop case.  The case–along with the laptop and the password–is stolen!  Computer is recovered 48 hours later–a miracle–and there are signs that there was failed attempted access to the contents of the laptop–a second miracle.

Writing the password down?  Possibly bad.  Placing it in the same case as the laptop?  Definitely bad.  Not having encryption on a laptop with sensitive information?  Grounds for getting fined.

Getting Lucky

Yorkshire must have done something good, because they’ve been blessed with plenty of luck.

  1. They were able to recover their laptop.  This almost never happens.

  2. Whoever stole the laptop was unable to access to it.  Not that he didn’t try.  How did he not see the password?

  3. The ICO after looking into the matter, didn’t fine them.  The ICO has the power to fine up to £500,000 for a data breach.  So far, it hasn’t used that power.

Of course, for #3 above, it would be unfair to fine YBS.  After all, the poor data security practices stem from the former Chelsea Building Society.  Think about it.

Chelsea employee uses a laptop at home, one not making use of encryption software like AlertBoot, which  happens to be full of customer data, most of which he doesn’t need.  Laptop is not encrypted by Chelsea.  The laptop is given to a manager at Chelsea who writes down the password (password-protection in place, I guess) and places it with the laptop.  Obviously, Chelsea forgot to educate their employees about correct data security practices.

It would be terrible to fine the new company because of the actions of an old company.  I know it happens, but it’s a terrible approach, especially if the new company is trying to do right:  If I may go out on a limb, I’m betting that the laptop was “recalled” in order to have it encrypted and then returned back to the employee.

The correct approach to laptop data security would have been to have it encrypted prior to saving sensitive data to it.  Once the device is out in the field, it becomes somewhat of a challenge to encrypt it safely, since–as seen in the above case–you could have a breach because you decide to encrypt it.

For example, the IT department has to get involved, so you send in the laptop and that’s when the unforeseen happens: cases get lost, forgotten, stolen; someone breaks into your car; you get mugged on your way to the office; etc.  On the other hand, not encrypting your laptop is not the answer.

How AlertBoot Can Help

AlertBoot is a web-based encryption software suite.  As long as the computer is connected to the internet, the user of the laptop can easily encrypt their laptops, since it’s not unlike installing any other type of software, including games.  In other words, the laptop doesn’t have to be sent it.

The administrator is needed at a higher level: customizing the central management console, also in the cloud and available anywhere with an internet connection.  It also allows him or her to administer machines as necessary, update policies, and run reports to perform audits on the encryption status of computers.

Related Articles and Sites:

Comments (0)

Let us know what you think