Thursday, June 7, 2007

Stolen Laptops and data breaches - something doesn't add up

If it seemed to you like a new data breach was making the news every single day last year, you weren't far off from the truth. According to the numbers released by the Privacy Rights Clearinghouse, there were 327 reported data breach incidents in 2006. So it wasn't quite every day - maybe the bad guys took the occasional Sunday off.

If you take a closer look at the numbers, you'll see that 37% (or 119) of the incidents involved laptops. While it is difficult to determine precisely how many individuals' records were potentially compromised by these 119 breaches, it is most likely in the hundreds of thousands, if not the millions (the statistics on the page linked above seem to include the Department of Veteran's Affairs incident, in which the laptop was later recovered). So thousands and thousands of records potentially compromised by only 119 breaches? Well at least there were only 119 breaches, right? Maybe not.

If you gave truth serum to the Chief Information Security Officers of all the Fortune 500 companies, and asked them if their companies had lost a laptop due to theft during 2006, I think you'd find that 100% of them had lost at least one laptop. In fact, I'd bet if you asked whether they had lost more than 100 laptops, more than one would answer yes to that as well. I know of one Fortune 500 company that averages a stolen laptop every other day!

It gets worse if you do a bit of research into just how many laptops are stolen annually. Again, the numbers are difficult to pin down, but some believable numbers I've heard fall in the range of 500,000 to 1 million. Even on the low end, that's a lot!

So if I'm right and 500 of the largest companies have had at least one laptop stolen, and total laptops stolen is at least in the hundreds of thousands if not the millions, why have we only heard about 119 data breaches due to stolen laptops?

Even if we assume that a good number of those stolen laptops were owned by individuals rather than corporations, I'd be willing to bet that the majority were owned by corporations. Why? Because most are stolen out of vehicles, hotel rooms, at airports, etc. In other words, people traveling or on their way home from work, which means a good number of these are most likely corporate machines.

If only 119 of the hundreds of thousands of stolen corporate machines were holding personally identifiable information, what were the rest of those people using their laptops for? It hardly seems to me like you'd spend all that money equipping your staff with laptops if they aren't doing anything important with them.

If you allowed the CISOs to defend themselves, I'm sure they would spout some garbage about how their policies prohibit storing sensitive data on laptops. Even if I believe that all of their employees follow policy (which I don't), how can they be so sure there is no personal info on those laptops? In most cases they can't.

If you ask any expert who does forensic analysis of disk drives, I'm sure he or she could tell you stories where some individual has attempted to hide his nefarious activities by deleting files to cover his tracks. I'm sure the expert can also tell you that quite often he or she can still recover some (or all) of those tracks by looking at temporary files, swap files, etc. And these are cases where the data was intentionally wiped from the disk!

Any time you work with data, your operating system is potentially leaving pieces of that data on various parts of the drive. It isn't doing this maliciously or unintentionally, it is just the way software works. In order to work with more applications and data than your computer has memory to handle, operating systems and other software applications temporarily store parts of that data on disk until it is needed again. Usually that data is cleaned up when a program closes, but not always. So even if you aren't intentionally storing personally identifiable information on your corporate laptops, if you work with that data on a corporate laptop some of the remnants might be left behind.

And that is why the numbers don't add up. The majority of US states have data breach laws, and hundreds of thousands of laptops are being stolen annually. As I've explained, it is difficult to prove that a computer absolutely positively contained no personally identifiable information, so why were only 119 laptop incidents reported last year? A good question, isn't it?


No comments: