Primary target laptop, low risk of data theft?
ID theft ring targets homes, cars
There are companies that store sensitive data on portable devices (duh!). At some point, these devices go missing — stolen; lost; misplaced; dog ate it and pooped it in someone’s garden; you name it. If drive encryption like AlertBoot was used to secure the data, it’s not a big deal as far as data breaches go (in fact, the data is so secure that many laws and regulations provide safe harbor from prosecution, fines, etc. if encryption is used).
When encryption software is not used, however, companies are forced to send letters to customers due to the passage of data breach notification laws. Many companies note that they always have their clients’ security in mind, current situation notwithstanding; that their device had some other type of security other than encryption (which apparently is not as good, because here they are sending you this breach notification); and mention how the data was not the target of the theft because a bunch of other stuff other than the computer / hard drive / USB flashdisk / etc. were stolen as well.
For the last part, I often bring up my purse analogy for data breaches: if someone steals a purse because, say it’s a Prada that costs $2,150…will the thief not look inside the purse after he (or she) has gotten it because the target was the purse? Quite unlikely.
So where do these companies get off speculating that clients’ data is safe (or at least that there is a low-risk of a data getting stolen) because they think that the primary target was the hardware and not the data inside it? After all, if I have a laptop in my possession, and there’s nothing that’s truly preventing me from accessing it, I’d boot it up to see what’s inside it. I’ve been making this argument for quite a while.
I’ve read stories here and there about people stealing documents for the SSNs on them and whatnot. The cases are generally insider jobs (such as a nurse stealing medical files and using them for ID fraud), so my purse analogy doesn’t quite apply, and to date I still haven’t come across a story where the primary target was a laptop which eventually led to an ID theft, or where a laptop was stolen but the primary target was the data inside of it.
However, I fail to see how such things are not happening when I come across stories like the following.
Car Prowls and Residential Burglaries to Steal Documents
A man in Olympia, Washington was given 15 years in prison for ID theft. According to various sources (which on retrospect all come from theolympian.com), more than 40 boxes of evidence were hauled from Anthony Vaughn’s home:
According to the Sheriff’s Office, such items belonging to more than 1,000 victims had been stolen. Detectives think Vaughn had accomplices who stole identification documents during car prowls and residential burglaries [theolympian.com]
Now, let’s think about this for a moment: the theft of the data was the main purpose in these burglaries (and hindsight tells us so). But, think about the actual time of the burglary. What are the chances that the thieves only stole IDs and fled from the crime scene? If there was a stereo, some cash lying around, gold rings, a ruby the size of a banana…what are the chances that those had been left behind because the thieves were there “for the IDs”?
Close to nil, I bet. In fact, if the IDs were stolen in addition to other items (“hardware”), I bet the winning argument at the time would have been that this was an ordinary burglary where thieves also stole IDs. But, of course, hindsight tells us otherwise. And if a laptop computer was stolen? Well, even if it contained a home-based business’s banking account info, client roster, etc., the laptop would have been the primary target, not the data.
So, if you hear about a case in the future where a computer was stolen but was not protected with laptop disk encryption, but you shouldn’t worry because the hardware was the primary objective — take it with a grain of salt. Today’s thieves know where the big money lies, and it’s not in a dated computer with a resale value of $300 on eBay.
Related Articles and Sites: