Employers rushing to stem data theft tide

By Stephen Manning

updated 7:12 p.m. ET June 18, 2006

ROCKVILLE, Md. - Reports of data theft often conjure up images of malicious hackers breaking into remote databases to filch Social Security numbers, credit card records and other personal information.

But a lot of the time, the scenario is much simpler: A careless worker at company or agency with weak security policies falls prey to a low-tech street thug who runs off with a laptop loaded with private data.

In the biggest case, the Department of Veterans Affairs recently lost data on 26.5 million veterans and military personnel stored on a laptop and external drive stolen from the suburban Washington home of a VA employee.

Security experts and some privacy groups say simple measures could protect data if a laptop falls into nefarious hands. They include encrypting the information so it's nearly impossible to access without the correct credentials.

"It is shocking how many of these are stolen laptops and that fact that the users of the laptops did not use encryption to secure the data," Beth Givens, director of the Privacy Rights Clearinghouse, said of recent data losses. "If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware."

Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts.

So far, there is no evidence the stolen data were used for identity theft or other nefarious purposes. In most cases, the laptop itself, not the personal information on it, was the likely target of the theft.

Sometimes, there's no good reason for why so much information is being kept on individual machines that are designed to be carried out of the office. In other cases, workers were allowed to have the data on the laptops but didn't follow proper procedures for keeping it safe. In others, they broke the rules by taking personal data out of the office or not protecting it with digital tools.

Laptops have been stolen from cars, gone missing when checked for airline flights, and been taken from offices and employee homes. Hospitals, universities, consulting firms, banks, health insurers and even a YMCA have lost personal data.

MORE FROM SECURITY

Security Section Front

Web site design flaws make banking riskier Facebook redesign to weed out toxic spam The end of human customer service? EU warns against buying ring tones online Engineer accused of network tampering Man gets prison time for spamming AOL FCC chief says Comcast violated Internet rules Lawmakers to probe 'adware' practices Red Tape: Thwarting thieves with ... magic? 'Public' online spaces don't carry speech, rights Security Section Front   Add Security headlines to your news reader: