Forrester Loses Laptop Containing Personnel Data

["Michael Hill, CITRMS" <mhill () idtexperts com>]

      http://www.eweek.com/article2/0,1895,2228887,00.asp 
      
     
      Thieves stole a laptop from the home of a Forrester Research employee during the week of Nov. 26, potentially 
exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and 
directors, the company said in a letter mailed to those affected on Dec. 3.

      Forrester "Chief People Officer" Elizabeth Lemons said in the letter that the hard drive is password-protected 
but made no mention of encryption. 

      The laptop contained records pertaining to those who have received grants of Forrester stock options or who have 
participated in the research firm's Employee Stock Purchase Plan, according to the letter. Those who have done 
contractual work for the consultancy, but who haven't participated in either stock plan, also appear to be affected. 

      The incident appears to be a clear case of, "Do as I say, not as I do." Besides the irony of a technology 
consultancy that apparently does not encrypt sensitive data on employee laptops, the office of Forrester's "chief 
people officer" apparently had not informed the firm's media staff of the incident before sending out the letter. 

      When eWEEK contacted Forrester's press hotline on Dec. 5, a staffer said that this was the first she had heard of 
the incident. 

      [...]

      The idea that password protection actually protects laptop data is one that's laughed out of the room by security 
professionals. "Anybody with a relative clue, or at least a copy of Knoppix or F.I.R.E. [data recovery tools], could 
potentially bypass security measures implemented on lost or stolen drives. Period," wrote data breach experts at 
Attrition.org, a volunteer-run site that keeps a running list of data breaches relied on by organizations including 
Privacy Rights Clearinghouse. 

      "Unless data on a drive is encrypted with a key either unknown or inaccessible to an intruder, that data is open 
to compromise," Attrition said in a February posting that followed the recovery of a lost VA laptop. 

      "We won't even go into cracking AES256 or 3DES here; for the most part, such measures are impractical. Cracking 
algorithms over 128-bit is possible, but only with a lot of time and/or firepower. However, shoving a CD in the 
machine, rebooting and typing: '# mount /dev/hda1 /tmp/stolen_info/ # cd /tmp/stolen_info/ # ls -la' is not that 
difficult and it makes all of that 'password-protected' data quite readable, even for a casual computer user. 

      "If the person who stole the laptop were to remove the drive and perform a bit-by-bit copy, they would circumvent 
any password protection on the computer. Remember, BIOS and Operating System passwords rely on the computer and OS to 
boot up. If you remove the drive, neither will offer any level of protection and are completely worthless." 

      A volunteer for Attrition who goes by the online name "Lyger" told eWEEK that Forrester's notification letter to 
those affected "should be of little comfort," given that Forrester didn't divulge whether the laptop's hard drive was 
encrypted. 

      At any rate, it may be ironic, but Forrester's dilemma is far from unique. A former analyst for a defunct 
technology consultancy wasn't surprised to learn the details behind the breach. "When I was at Meta, we didn't do 
anything in our back office that we preached to others," he said. "It is symptomatic of all businesses. They really 
don't pay any attention to their own employees when warned of something 
     


[..]

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml