The ottawacitizen.com reports that approximately 800 Ottawa pensioners were affected when a hard drive belonging to Towers Watson — the American firm that specializes in human resources consulting — went missing from storage in Manila, the Philippines. The drive in question was not protected with the likes of AlertBoot hard disk encryption.
Company Thinks There’s Low Risk
Towers Watson, headquartered in New York, was in charge of the City of Ottawa’s superannuation fund which was established
in the municipality’s early years and covered police, firefighters and city staff. Everyone currently in the plan is retired or is a surviving beneficiary of the pensioner, and is not a member of the Ontario Municipal Employees Retirement System. OMERS was a new plan created in the 1960s to handle the retirement benefits of local government employees across Ontario. [ottawacitizen.com]
Seeing how the city has been around since 1826 — and adopted its current name in 1855 — that’s one heck of a long-surviving pension program. Towers Watson, however, has only been in charge of the fund for the past 13 years.
The computer hard drive was decommissions and was placed in a secure area prior to having its data wiped; however, it was stolen in early May when the company suffered a number of other computer equipment related thefts. The stolen drive, according to company spokesman Michael Millns,
…didn’t include bank account details. It didn’t include passwords or that type of stuff. … You could probably get the same information by stealing a copy of someone’s tax return.
There’s really not a lot there, which is why I think we think … there’s a very low risk. [ottawacitizen.com]
I don’t know how Canadians file their taxes, but I’m assuming that some type of SSN-like number is used. That would mean the theft actually represents a high risk, even if risks have been reduced by not including financial data.
Company Switching to New Computer System
Ironically enough, the data breach was made possible in part because Towers Watson was switching to an encrypted system. This happens more than often enough, you know? For example, Company A decides to improve their data security. They plan the upgrade, work out the logistics on how they’re going to go about it, start installing encryption in batches so the IT department doesn’t get overwhelmed, and they suffer a data breach when a laptop is lost halfway into the program.
Unfortunately, it is impossible to complete prevent the above from happening. The risks of it taking place, however, can be severely reduced by speeding up the process of deploying encryption. Would your risk profile look different if you could deploy full disk encryption to 1,000 laptop computers over a period of one week versus three months?
Of course it would. That’s why AlertBoot was created as a web-based service: it allows disk encryption to take place from anywhere that there is an internet connection. So, instead of planning for the physical logistics where employees bring in their machines and temporary place them with the IT department, the encryption deployment can be pushed out to all employees via email, eliminating a significant chokepoint and speeding up the process of securing an organization’s data.