Employers rushing to stem data theft tide

By Stephen Manning

updated 7:12 p.m. ET June 18, 2006

ROCKVILLE, Md. - Reports of data theft often conjure up images of malicious hackers breaking into remote databases to filch Social Security numbers, credit card records and other personal information.

But a lot of the time, the scenario is much simpler: A careless worker at company or agency with weak security policies falls prey to a low-tech street thug who runs off with a laptop loaded with private data.

In the biggest case, the Department of Veterans Affairs recently lost data on 26.5 million veterans and military personnel stored on a laptop and external drive stolen from the suburban Washington home of a VA employee.

Security experts and some privacy groups say simple measures could protect data if a laptop falls into nefarious hands. They include encrypting the information so it's nearly impossible to access without the correct credentials.

"It is shocking how many of these are stolen laptops and that fact that the users of the laptops did not use encryption to secure the data," Beth Givens, director of the Privacy Rights Clearinghouse, said of recent data losses. "If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware."

Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts.

So far, there is no evidence the stolen data were used for identity theft or other nefarious purposes. In most cases, the laptop itself, not the personal information on it, was the likely target of the theft.

Sometimes, there's no good reason for why so much information is being kept on individual machines that are designed to be carried out of the office. In other cases, workers were allowed to have the data on the laptops but didn't follow proper procedures for keeping it safe. In others, they broke the rules by taking personal data out of the office or not protecting it with digital tools.

Laptops have been stolen from cars, gone missing when checked for airline flights, and been taken from offices and employee homes. Hospitals, universities, consulting firms, banks, health insurers and even a YMCA have lost personal data.

MORE FROM SECURITY

Security Section Front

FBI: Hackers targeting law and PR firms House pushes ban on peer-to-peer software Facebook hit by ‘Control Your Info’ intruder Twitter phishing ploy goes for ‘Direct Messages’ Red Tape: Your chance to spy on Google Hacking ring caught in $9 million fraud Tagged.com settles with states in invite fight Framed for child porn — by a PC virus Obama gets mixed reviews in China's blogosphere Spain: Internet-related child porn on the rise Security Section Front   Add Security headlines to your news reader: