Approximately two weeks ago, Canada’s cbc.com reported on the theft of a government laptop with promises of more articles on the same in the weeks to come. Earlier this week, the last article was posted. The story is a doozy.
To summarize, an employee with the Department of Health and Social Services (Northwest Territories, Canada) had her work laptop stolen from her rented minivan. Because she was concerned about walking around with the device on her, she hid the thing within the vehicle, which had heavily tinted windows (so, no peeking inside) and was parked in a safe area. Someone picked the car’s lock and stole the laptop.
Oh, and the laptop was not encrypted… because it was “very difficult to encrypt.”
Not Your Usual Reaction to Finding You Have a Data Breach in Your Hands
Once the DHS employee figured out that she had been burglarized, she did something that everyone should do but probably doesn’t:
“[I] did a thorough exploration of public garbage cans and dumpsters, stairwells, elevators, dark alleys and corners, local planters,” wrote the employee.
She called police, reported the theft to two local security companies, and left her contact information at several pawn shops and computer repair shops downtown.
The employee reported the theft to the N.W.T. Health Department by email by 11:25 p.m. that night.
“[I] spent the last three hours sorting through dumpsters, flagging down security guards and revisiting the scene (and other less salubrious corners of Ottawa’s downtown core.) All to no avail,” she wrote in that email.
It’s not mentioned whether she had been aware that her laptop was not encrypted. Based on internal communications obtained by cbc.com, however, it would appear that she hadn’t known. (Indeed, it seems that the only person who knew that the device was not encrypted was the one charged with encrypting it. Everyone else probably assumed it was secured because those are the rules).
So, we can safely assume she did all of the above under the belief that her laptop was protected from a data breach. Most people would have just reported the incident (or not) and gone on with their lives. Between this and deciding to leave her laptop in her vehicle after concluding it would be safer than carrying the laptop around, only the most insensitive idiot would blame her for being careless, unconcerned, or worse.
The story is different when it comes to the device’s encryption status.
(Random observation: When it comes to storing objects, the trunk of a car is not necessarily safer than the inside of a car. Thieves who can pick a car door can also pick a car’s trunk. (Of course, breaking a window is always easier than smashing a hole in the trunk). And, there are those who lie in wait inside parking garages, observing. If they see someone drive in, park, place something in the trunk, and go about their business, they know something of value has been put in the trunk. Instead of breaking into a bunch of cars to end up with nothing, they break into the one that most probably has something of value).
(Second random observation: It’s always a good idea not to leave things behind in a rental car. There are criminals that specialize in breaking into such vehicles (supposedly because non-locals generally pose a lower risk when it comes to contacting the authorities). There’s always a tell, be it a special characteristic like a particular license plate, company decals, or even barcodes somewhere near the front window).
Difficult Is Not Impossible
An employee who currently works in government IT noted:
The IT employee expressed disbelief about the emails suggesting the laptops were “very difficult” to encrypt.
“I don’t believe it. I can’t,” they said. “Difficult means you can still do it.”
He is correct.
In fact, “difficult” couldn’t possibly be the reason why the stolen device was not properly protected. After all, whoever was in charge of securing these devices – Lenovo Helix tablet and laptop hybrids running Windows 8 – didn’t have to code the encryption themselves; if they could, they wouldn’t be working government jobs (at least, not in IT for the health department). Just like any other non-IT person, he or she or they merely had to click on an icon and install some software.
In fact, considering that (1) these were Windows 8 devices and (2) assuming they were not running the cheaper version of the operating system – it is a government department, after all, and Microsoft’s licensing would require them to use a professional grade OS – the encryption software would already be there: It’s called Bitlocker.
All you have to do is turn it on and possibly make a backup of the encryption key. That’s it. There’s nothing “very difficult” about that.
Of course, you would run into difficulties if you were trying to install encryption software that was not Bitlocker. Starting with Win 8, Microsoft switched the operating system’s internals from the Master Boot Record to GPT/UEFI: for the layperson, it basically means that existing traditional full disk encryption wouldn’t work anymore. Getting these legacy security products to install would be difficult, possibly even impossible.
But using a particular encryption software is not the point, is it? The point is to have the laptop encrypted.
And if the solution is right there, waiting to be turned on, then the problem is not “difficult” to resolve. Whoever decided that it would be infinitely better to send these laptops out into the wild unencrypted, as opposed to using a good but perhaps as of yet departmentally unapproved full disk encryption solution – and justified it by saying that it was very difficult to encrypt – should not be associated in any way with data security.
Related Articles and Sites: