FTC Laptop Theft Exposes Consumer Data

June 22, 2006

By Brian Krebs, WashingtonPost.com

http://blog.washingtonpost.com/securityfix/2006/06/ftc_laptop_theft_exposes_consu.html



The Federal Trade Commission -- an agency whose mission includes consumer protection and occasionally involves suing companies for negligence in protecting customer information -- today disclosed a recent theft of two laptop computers containing personal and financial data on consumers.

In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was "gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers."

The commission said it has "no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops." The agency also said it would offer affected individuals one year of free credit monitoring.

The FTC's loss is just the latest in a string of laptop thefts -- including several here in the Washington area -- that exposed sensitive information on millions of consumers. Last month, the U.S. Department of Veterans Affairs reported that a stolen laptop and computer hard drive taken from an employee's house in Montgomery County contained personal information on 25.5 million veterans and military personnel. Social Security numbers and the birthdates of 13,000 District workers and retirees were among the data contained on a laptop stolen last week from the Southeast Washington house of an employee of ING U.S. Financial Services.

When do we get to the point where these kinds of losses become so unacceptable that businesses are forced to take sensible measures to prevent them? Perhaps the thieves just want to wipe the drives and fence the computers for a few hundred bucks as soon as possible. But that doesn't erase the emotional and financial toll such thefts inflict on the people whose data was on them.

There is a relatively simple answer here: require companies that insist on storing sensitive information on laptops to encrypt the data or the hard drives themselves. But with all of the thefts and losses reported over the last 15 months alone, I wonder whether we've reached a point where everyone's private information isn't already available for sale in some giant black-market database somewhere.

Apparently, I'm not the only one who shares this suspicion, according to another story in the Post today that quotes Marcus Ranum, a firewall designer and security expert who is a frequent critic of the shoddy state of software security.

"By the time you add up a million here and 900,000 there and 4 million over there, you've covered most of the credit-holding and wage-earning population of the U.S.," Ranum wrote in an e-mail. "I'm sure my math is suspect, but I estimate that there are about 156 Americans whose personal information has not yet been compromised."

[an error occurred while processing this directive]