Databreaches.net reports that cosmetics powerhouse Estee Lauder has alerted the New Hampshire Attorney General’s Office about a data breach. The loss of a laptop compromised employee information, including SSNs. It has not been revealed where the laptop was stolen or whether it was protected with laptop encryption software.
Dissent at databreaches.net notes that the letter to the NH AG is very light on the details of the data breach.
We know this much for sure: a laptop was stolen, which contained employee information (current and former). Some of the information involved includes names and Social Security numbers. The laptop was company-issued. It was also noted that the company “changed all passwords assigned to the employee for access to the stolen laptop.”
Anything apart from the above is speculation. Here’s my two cents: I get the feeling that the laptop was encrypted.
First, there is the fact that the laptop was company-issued. While there are plenty of stories in the media about companies losing laptops that were not encrypted, we’ve got to remember that that’s exactly why it’s being reported. I mean, who’s going to publish news where encryption software like AlertBoot was used so “everything’s alright”? That’s not news.
So, if you will, there is a “silent majority” out there that has their encryption in place. (If this had been a personal laptop that was stolen, I’d be betting on encryption not having been used.)
Second, the company had enough security programs installed on the now-missing device that they could go ahead and change the password on it. Now, your average Windows boot-up password cannot be changed in that way. Ergo, there is something installed on the laptop that will “call home” and update itself, most probably via the internet. It’s not a stretch to presume that laptop encryption was used under such circumstances.
Of course, there is the unsettling fact that the use of encryption was not mentioned in the letter to the Attorney General. However, I’ve been burned in the past (more than a couple of times, actually) where I speculated that cryptographic solutions were not used because they were not mentioned…but it turned out that they were.