But, the fact that encryption was used does not mean that everything is all right in the state of Medford/Somerville (that’s where Tufts has its main campus. I know because it’s my alma mater). In fact, as databreaches.net pointed out, this is a great reminder that laptop encryption like AlertBoot is useless when your computer is not shut down.
Psychology Department Applicants Affected
The breach took place on April 2011, when a laptop belonging to a Tufts researcher was stolen at Mass General Hospital. The laptop contained a spreadsheet with applicant information from 2010. More specifically, applicants were looking to joining the Department of Psychology at Tufts. The information for 73 applicants — including names, contact information, SSNs, and academic information — was included in the spreadsheet.
The following is what attracted my attention:
When reporting the theft, the laptop user also reported that, although the computer was encrypted, she believed that it might not have been fully shut down when stolen, and so someone finding the laptop might have been able to access the data without a password. [Notification letter to the NH State General Attorney, their emphasis]
Of course, this means that the computer in question was protected with a disk encryption program.
How Come Laptop Disk Encryption Didn’t Work?
Well, it’s a stretch to say that laptop encryption doesn’t work, or that it didn’t work in this case. For all we know, the computer could have been fully shut down, and hence the above is nothing but Tufts playing Chicken Little.
I think I’ll just explain what’s going on and let the readers make up their minds on whether there is a potential for a breach or not (for the record, I’m of the opinion that there is a slight reason for concern in this case, but it has nothing to do with encryption working…or not working).
It all comes down to disk encryption works. Disk encryption is a like a strong box: if the door is shut, the contents of the strong box are secure. If the door is left open, the contents are not secure. Pretty simple, right? It’s exactly like that with disk encryption software.
If your disk encryption secured computer is turned off, it’s like the strong box’s door being closed. When you turn the computer on and the screen is prompting you for the username and password (or some other method of identification), it’s like the keyhole to the strong box presenting itself; as of this moment, your computer is still protected by encryption.
But the moment you provide the correct password, it’s like slipping in the key to the strong box and opening it: at this moment, neither can protect the contents within.
Now, one might think that this is a weakness in disk encryption; however, that’s like arguing that the strong box has a weakness, in that its door can be opened. The point of all of this: disk encryption can only protect the computer’s data when it’s turned off, just like a strong box.
There are exceptions, of course. For example, if a computer has gone into a state of hibernation or sleep, or if the computer wasn’t used for a while and the screen is locked, there are certain data security products that will extend its protection to those states as well. However, the security provided in such states is not equal to your computer being in the “off” state, since there are methods for obtaining passwords in those states.
In light of the above, what do you think are the chances of actual data theft? I think there is a slight reason for concern because, with encryption in place, the only way that the data could have been stolen is if the laptop computer was never turned off in anyway whatsoever. I find that hard to believe. One of the first things you do when stealing a laptop is closing its lid, and most computers are programmed to go into sleeping mode when that happens.