BMO Harris Bank has announced today that customers’ names, addresses, and dates of birth were breached when a laptop computer was stolen from a vendor. Per the article at jsonline.com, it appears that drive encryption software like AlertBoot was not used.
On the one hand, the information on the stolen laptop is not traditionally considered sensitive, so it shouldn’t be a big deal. If one is imaginative enough, though, it could mean problems down the road.
BMO Offers Credit Monitoring
BMO Harris was alerted of the breach on June 20, 2012. The computer belonged to an employee to a BMO vendor that was performing “routine review of information on loan applications,” per jsonline.com. Due to the data breach, BMO Harris is offering 12 months of free credit monitoring and ID theft protection.
Seeing how SSNs are traditionally submitted when making a loan application (Social Security numbers are collected to run credit checks) but were not part of the stolen data — the bank claims that SSNs, driver’s license numbers, and account numbers were not involved — it sounds like BMO was restricting access to data, one of the key aspects of good data security management.
But, the bank doesn’t mention the use of encryption software. Rather, it notes that “the laptop was stolen in a random theft, and that the password for the computer was protected.” On the one hand, having password-protection is better than not; however, circumventing it is so easy and unimaginative that one wonders whether it’s any protection at all. For example, would you consider your unattended home protected if you live in a bad neighborhood, and the only security you have is locked doors and windows? A brick is all you need to overcome “security.”
Likewise for password-protection. Truth be told, the computer ought to have been encrypted.
This poses a problem for BMO, though, because the laptop was not under its control. The employee worked for a vendor (weakness in the chain #1), and my understanding of the jsonline.com article is that the laptop was the employee’s own (weakness in the chain #2), meaning neither the vendor nor the bank can mandate the use of data protection tools on it.
This is a classic case where data security breaks down due to the porous nature of data.
BYOD – Required Even If You’re Not “Bringing” Anything
In a roundabout way, the above shows why BYOD security solutions are necessary. You don’t know it yet, but your company is probably engaged in BYOD practices whether you know it or not. The grandfather of all BYOD trends, one could argue, is the lowly and ubiquitous USB memory stick.
(To expand: CDs and DVDs are not devices. Neither are email or ftp servers. External hard disk drives and personal laptops made some inroads into corporate space, but it’s hard to argue that everyone brought one of these to work, even if the use of “everyone” is hyperbole…but only slightly).
BYOD security solutions promise to curtail (and do we dare hope, eliminate?) instances like the above, but what to do when it comes to personal devices that stay at home? One AlertBoot client has found a partial solution. It requires all employees to encrypt any personal devices if it holds corporate data, regardless of where it is. So, for example, a desktop computer that stays at home needs to be encrypted despite the fact that it’s not mobile and it’s going anywhere.
Is this the ideal solution? Not really. As the world becomes ever more interconnected, it’s quite obvious that a solution that concentrates on protecting the data directly — like file encryption does — might be a better approach. However, this, too, has its drawbacks. After all, it’s the reason why most opt for disk encryption over file encryption.
One thing is for certain: the answer lies in more protection, not less, and educating people about the realities regarding data security.
Related Articles and Sites: