Mobile workers losing laptops by the truckload   

By Ian Harvey

Kevin Coffey is a charming , larger-than-life Irish-American Los Angeles Police detective with ice -blue eyes, a big smile and a firm, engaging handshake. And he’s prepared to rob you blind to prove how easy it is to steal not just your laptop but all the data it holds. To make the point, Coffey has set up hidden cameras in airports and parking lots, and has carved out a business as a consultant on travel security. To drive his message home, Coffey loves to show video clips of road warriors being relieved of their laptops as they sit in departure lounges, stand in line or even go through X-ray machines at airport security. Watching the videos, it’s clear the criminals are well organized and the thefts fairly easy. For example, a traveller puts a laptop on the X-ray conveyor belt and a thief one or two spots ahead in line simply picks it up and walks away. Distracted for a moment retrieving keys, wallet and other paraphernalia, the owner doesn’t notice the theft until the hardware and corporate data on it are long gone. Data loss is a massive risk for corporations globally because a mobile workforce carries information with it—on laptops, smartphones, PDAs and USB memory sticks.

All that matters is data 

“IT managers used to worry about losing laptops because they were expensive,” said Coffey, whose road show has taken him to Oprah, Dateline and 20/20. “Now it’s about the data, especially personal information in that data.” A crackhead who steals a laptop from the back seat of a rental car may only get $50 to $100 for the hardware, while millions of dollars in personal data is at stake, as organizations like the U.S. Department of Veterans Affairs are discovering. It admitted last May that a laptop stolen from an employee’s home contained information on 27.6 million veterans. Two teens were arrested after a $100,000 reward was offered and the laptop and two external hard drives were recovered. “They weren’t after the data, apparently,” said Ben Haidri, vice-president of Vancouver-based Absolute, a theft recovery and on-board data protection vendor. “They wanted it to play video games.” Now, however, the department is spending millions to fight off pending lawsuits from veterans, and arguing that none of the files were accessed or fell into the wrong hands. The case is the largest mobile technology loss in the U.S. but it’s not isolated. That same month, information on 900 Ottawa-area bank customers was compromised when thieves stole a Bank of Montreal (BMO) laptop. A month later, Vassar Brothers Medical Center in Poughkeepsie, N.Y., disclosed that a laptop stolen from the emergency department stored insurance numbers and birth dates of 257,800 patients, while in August, the Florida Department of Transportation reported a special agent’s laptop with 132,470 names, addresses, insurance numbers and birth dates of people with commercial driver’s licenses, pilot certificates and driver’s licenses had been stolen. According to the Privacy Commissioner of Canada, hundreds of computers were stolen from federal government offices in 2003. Public Works alone lost 30 laptops. Coffey suggests for each 10,000 people whose data is on a hard drive, the cost of recovery, compliance and liability could be up to US$2.5 million. And that’s the issue, because in many jurisdictions, privacy laws and corporate governance regulations require immediate disclosure if sensitive data is lost or stolen.

Gone in Seconds

The upshot of BMO’s loss was to partner with Ontario’s Information and Privacy Commissioner Ann Cavoukian to issue a public alert, urging employees and corporations to put in place precautions and policies to protect data. “Working away from the bricks-and-mortar office means you are also working outside of the traditional security layers,” Cavoukian said in launching the campaign. “You need to re-assess the privacy and security risks associated with working remotely or while travelling.” A brochure jointly published by BMO and the Commissioner’s office said all employees should check whether they are authorized to remove client information from their organization’s premises. If they have permission to remove the data they should also take prudent steps to ensure that the device’s encryption technology and passwords are fully updated and correctly configured, and that they keep the laptop secured—either on their person or locked away. Even then it’s not a foolproof plan. “Some of these guys will follow business travellers to rental car lots and watch them stow their laptops in the trunk of a rental,” Coffey said. “They’ll then follow them to a restaurant or their hotel and if the victim doesn’t take the laptop, they’ll pop the trunk lock and take it.” According to Detective Malcolm Bow, assigned to Peel Regional Police’s Lester B. Pearson International Airport detachment, there has been an increase in what the force calls distraction thefts. “It looks like a specific group who work in teams, one to distract the victim and the other to take the bag.” He said they go for small bags because that’s where the valuables usually are, especially laptop bags, hitting travelers as they chat on their cellphones or in line ups for the rental car counters or check in. “They rob all kinds of travellers: military people, police officers and, of course, business travellers,” Bow said. “Looking at them on the videos later, it’s amazing how slick and how fast they are. But what also amazes me is that very few people have activated the LoJack (a theft recovery system) on their computers, so they can wipe out the data. And it also amazes me that so few know the serial number of their laptop, which makes it a lot better for us when filling out the reports.” “It’s the cost of compliance and the liability which is driving the market,” said Haidri, whose company has partnered with Hewlett- Packard and pre-installs LoJack in its laptop line for an annual fee of $50. Haidri claims that while the theft rate in companies is between 3.5 per cent to five per cent, those with Computrace (desktop software) and LoJack see a theft rate of 0.5 per cent. HP’s foray into high-level security is based on first-hand experience. Confidential data on more than 196,000 current and former employees was lost when a laptop was stolen from a financial services company working for the technology giant. “There are three main types of thieves,” Haidri said. “The traditional, who are converting to cash; disgruntled employees, who steal laptops because they feel taken advantage of; and those who feel they’re entitled to steal as a perk.” The rarest is the thief intentionally targetting laptops or other devices for the data they hold, either to facilitate identity theft or to capture intellectual property such as proprietary designs. And the actual theft of hardware is only the most obvious threat. Cavoukian also said laptops, PDAs and smartphones, the “golden eggs” of identity theft, should also be protected against malicious software that might mine sensitive information such as passwords and financial services access codes.

Countermeasures

Companies worried about data loss need to deploy defenses. Biometric security such as fingerprint readers, encrypted access to hard drives, and the ability to remotely wipe data are all useful. A few manufacturers encrypt hard drives, making data inaccessible even if moved to another machine. Microsoft is also kicking security up a notch: its Windows Mobile 5 operating system for handhelds allows IT administrators to remotely wipe all data from a unit if it’s reported lost or stolen, while the recently released Windows Vista OS has similar features. But no matter how many fingerprint readers, encrypted hard drives and operating systems, personal data policies and procedures the state or an organization imposes, the weakest link will always be the hard drive itself. “It’s important to show that though the laptop was stolen, the data wasn’t accessible,” Haidri said. “If you can show you took reasonable steps, you can mitigate your liability.”