The Waterloo Region District School Board in Ontario, Canada has announced a data breach. It’s its third breach in less than a year. The announcement, however, leaves much to be desired. They imply that something like disk encryption software was used, but don’t come out and say it outright.
Look, Waterloo Region District School Board: I don’t know what they’ve been telling you, but using encryption software like AlertBoot to protect your data is not a crime. And, its efficacy is not affected by pointing out you used it.
December 1 Break-In, 9 Laptops Stolen
According to numerous sources, the Waterloo Region District School Board (WRDB) has filed a press release stating that there was a break-in at the WRDB head office on December 1, 2011. A thief or thieves smashed a window and stole nine laptop computers used by the center’s staff.
The board declined to make public what type of information was stolen or how many were affected, although they have indicated that it involves students’ personal information.
Most of the coverage mentions that the laptops had “security system that would require inside knowledge to bypass” (video, swo.ctv.ca) and that “it’s a layered process” (therecord.com). However, it’s not really specified what this is, exactly. Both computer encryption software and password-protection fit the description of such a security system, but the latter is not considered a “security system” by professionals, whereas laypeople do consider it so. Which is a mistake. I’ve already noted before why password-protection is not security.
I did find one site, cambridgetimes.ca, where it’s claimed that the board released a statement that “these computers use industry-standard encryption.” I have yet to find corroborating sources.
What’s the Hush-Hush Surrounding Encryption About?
I’m not sure what to make of cambridgetimes.ca coverage. If encryption was used, why is it not mentioned by all the other sites that have covered the story? It seems to me that pointing that “the laptops were encrypted” would be a far better description over “security system that would require inside knowledge to bypass,” which is confusing because it could refer to so many things.
Could it be that cambridgetimes.ca jumped to conclusions and assumed that such a “security system” meant “encryption”? That doesn’t seem to make sense, either.
But what really doesn’t make sense is people’s penchant for declining to mention the use of encryption. I might be biased because of who I work for, but it appears to me that the use of full computer encryption software ought to be trumpeted from the roofs by companies that use it and are subsequently involved in a data breach.
After all, break-ins, burglaries, thievery, hold-ups, carjackings, car thefts, and any number of crimes where laptops and computer equipment are stolen will not stop in the foreseeable future. In such cases, only the use of encryption guarantees* that the thieves won’t access data. What could better calm down people than letting everyone know that their information is impossible to get to?
(* I must include a caveat here: assuming something stupid wasn’t done, like somehow attaching the encryption password to the stolen laptop.)
Related Articles and Sites: