PERA, the Public Employees Retirement Association, of New Mexico has notified 100,000 current and retired government workers of a data breach that could lead to fraud. Personal information stored on a laptop computer was lost. The device was not protected with data encryption software like AlertBoot but secured with password-protection, the use of the latter being like defending yourself with a butter knife.
Third Party Parked Vehicle
According to report filed with the police, the theft of the laptop (and cause of the data breach) occurred between June 12 and June 13, anywhere from 8 PM and 4:30 AM the next morning:
That was more than enough time for a thief to break the truck’s passenger window and make off with the computers and iPod….
One of the stolen computers — a gray Dell laptop — could have contained personal information for tens of thousands of active and retired New Mexico government employees and their beneficiaries [santafenewmexican.com]
The stolen information may have included names, addresses, financial institution routing numbers, account types, account numbers, payment amounts, and PERA IDs.
According to the same police report, the laptop was in the possession of an employee, a Mr. Peixotto, at Atkinson & Co. who was performing an annual audit of the state agency. It is not yet known whether the laptop is a company-issued one or the employee’s own.
Regardless, PERA’s executive director has stated that “we certainly are going to hold any vendor accountable” although said it was “too early to tell” when asked about any actions against the auditing firm.
“Intriguing Details” Emerge
The case took an interesting turn. According to the santafenewmexican.com:
On Friday, a pawn shop Peixotto had contacted soon after the theft called with a potential break, according to the report. It appears Peixotto had contacted the Clovis pawn shop because thieves sometimes pawn stolen items for quick cash, and he wanted its employees to know what to look for.
Someone had brought in his computer case, the pawn shop told Peixotto, according to the report. What Peixotto found was indeed his bag. “Atkinson” was emblazoned on the black canvas material. Inside the case was a Dell computer, but it was not the company’s Dell computer or his personal HP laptop, which was also stolen from the truck.
Peixotto did not recognize the computer in the case, the reporting officer wrote.
Could the switch be a result of not using encryption software to protect the data? Password-protection (which is a delightful misnomer — it doesn’t really protect anything) can easily be overridden. Could this be a case where the thief or thieves turned the computer on, bypassed the password, saw what kind of data it contained, and decided to keep the laptop instead of hawking it right away?
Why the decoy, then, you might ask. Perhaps it’s because things tend to sell at a higher price as a set. Sell a laptop only, you get one price. Sell it with the power brick, you get a higher price. Sell it with a laptop case and you get a price higher than that.
If you have a random laptop lying around and another laptop that came with a case — but you’re planning on keeping the second laptop — it only makes sense to the sell the rest together.
Of course, mere speculation on my part. Except the part about password-protection not living up to its name. And the implication that the use of data encryption would certainly have prevented a data breach from taking place.