Spike in Laptop Thefts Stirs Jitters Over Data

[Richard Forno <rforno () infowarrior org>]

Spike in Laptop Thefts Stirs Jitters Over Data
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/21/AR2006062101
854_pf.html

By Petula Dvorak
Washington Post Staff Writer
Thursday, June 22, 2006; B01

It has become the police-blotter item of our age: A small-time burglar
swipes a laptop and fences it for a quick $200 at a pawnshop.

But increasingly, these petty crimes are causing anxiety in executive suites
across the country as one corporation after another alerts customers that
laptops holding troves of sensitive records have been stolen.

Week after week, Americans who conscientiously shred every piece of mail and
all credit card receipts learn that their personal information was stored in
the laptop of a low-level employee who casually took it out of the office
and that it has ended up in the hands of some penny ante crook.

"We used to be worried about credit card receipts, and tearing those up. Now
we have to worry about everybody's spreadsheets," said Scott Larson, a
former FBI agent who used to track cyber criminals and is now managing
director for Stroz Friedberg LLC, a consulting and technical services firm.

In the past six weeks, laptop thieves have found themselves holding
thousands of credit card numbers from Hotels.com, birthdates from District
pensioners who put their retirement funds in ING, addresses of nuclear power
plant employees, account numbers of Mercantile Potomac Bank customers -- or
even the Social Security numbers of people who work for Equifax, the credit
reporting giant.

Untold millions of Americans are affected. Last month, the U.S. Department
of Veterans Affairs reported that a stolen laptop and computer hard drive
taken from an employee's house in Montgomery County contained personal
information on 25.5 million veterans and military personnel.

Montgomery police have been distributing fliers with a photograph and a
description of the stolen laptop. "It is a priority of the department to
find that laptop," said Lt. Eric Burnett, a police spokesman.

Social Security numbers and the birthdates of 13,000 District workers and
retirees were among the data contained on a laptop stolen last week from the
Southeast Washington house of an employee of ING U.S. Financial Services.

And Wednesday, Equifax reported that an employee's laptop was stolen on a
London train, compromising the personal records of about 2,500 of the
company's Atlanta-based employees.

"By the time you add up a million here and 900,000 there and 4 million over
there, you've covered most of the credit-holding and wage-earning population
of the U.S.," said Marcus J. Ranum, a firewall designer, in an e-mail. "I'm
sure my math is suspect, but I estimate that there are about 156 Americans
whose personal information has not yet been compromised."

The thefts are being reported in large part because many states have passed
laws requiring that they disclose potential data breaches.

What is striking to many people is how widespread and haphazard the spread
of personal information has become in companies and government.

"Quite often, you see the line worker has more data than the upper echelons
of the company or agency," Larson said. "The secretary for the CEO has more
data on a laptop than the CEO of the company. That's the person doing the
memos, doing the spreadsheets. And that's where the sensitive information
is."

The ING employee whose laptop was stolen was a working-class type,
fastidious enough to report that "nine cans of beer and two jars of change"
were also stolen from his Southeast D.C. house, according to police.

Virginia security consultant Kevin Mandia said that databases are simply no
longer guarded like the "crown jewels" inside giant, blinking mainframes,
and companies are opting for the cost-effectiveness of giving employees
laptops rather than desktop computers.

But laptops go to employees' homes, where they can be stolen. Encrypting the
data would be one safeguard, but some computer experts say encryption
software is cumbersome, expensive and rarely implemented.

Laptop theft is clearly on the rise in the District, said Capt. Michael
Reese, who heads the D.C. police department's special investigations unit.
Reese said the laptops turn up in pawnshops for about $400 or on the street
sold by junkies for $20. But he doesn't remember ever tracing a case of
identity theft back to a stolen computer.

"There are various ways that people have their identity stolen: wallet,
trash, copying your name at the restaurant, looking at a credit card real
quick, all different ways," Reese said. "But not the kind of 'I Spy' stuff
like getting it off a stolen laptop."

Mandia's laptop was stolen several years ago. He found it at a pawnshop on
Lee Highway being sold for $400, but no one had opened it, turned it on or
accessed the highly sensitive unencrypted data it contained, he said.

That has been the case with most such thefts.

If someone wants to be an identity thief, it's far easier to go on
overseas-based Web sites that auction off blocks of stolen credit card
numbers, eBay-style, said Michael Vatis, a lawyer and executive director of
the Markle Foundation's Task Force on National Security in the Information
Age.

Vatis said it would be laborious, time-consuming and a gamble for identity
thieves to target middle managers, follow them and steal their laptops,
hoping a database would be there.

"If this is your business, stealing people's identity, you're better off
with a business model where you're not looking for a needle in a haystack
but you're looking for hay, and there are haystacks everywhere," he said.

But assuming that stolen data will remain untapped is dangerous, said Beth
Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy
group in San Diego.

Givens said it's probable that, in many cases, laptops are taken by
unsophisticated burglars uninterested in what's inside. But she said the
majority of identity theft cases are never traced back to the origin of the
theft.

"I don't want to be alarmist, but there are so many breaches being reported
these days," Givens said. "We all just need to assume our personal
information, especially our Social Security numbers, are at risk."

Staff writer Ernesto Londo?o contributed to this report.
© 2006 The Washington Post Company


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/