Another lost laptop story, this time from the UK. The details of the theft aren’t too unique – laptops with sensitive patient data were stolen from a hospital and a doctor’s house, and while the files were supposed to be encrypted, they weren’t. This story, much like every other data leak story, brings up the same arguments for why it isn’t a big deal:

• “The data, which also cannot be accessed without passwords, contained patients’ names, postcodes, hospital numbers and dates of birth.” (Emphasis added)
  Passwords are ridiculously weak forms of security, and, if the files aren’t encrypted, chances are the statement that access is impossible without a password is most likely just flat-out wrong
• “However they insisted there was no reason to believe the computers had been targeted for the information they contained, merely for their monetary value.”
  Targeted or otherwise, the data is now freely accessible to the thief. There’s equally no reason to believe that this will not be exploited. While historically, thieves are just in it for the quick score, that’s not really a guarantee.
• “However he insisted that only someone with ‘specialist computer knowledge’ would be able to crack the passwords and access it.”
  It’s not too hard to find people who know their way around a computer. And, thanks to the internet, specialist-type information is ridiculously easy to find.
• “‘We believe the data will almost certainly be wiped by the thief so he can get a quick sale. “
  Without any evidence that this is the case, you can believe whatever you want. I’m sure that’s really comforting to the people whose data is at risk.
• “The hospital has stressed that the data was only a copy of information stored centrally, so no details of appointments or treatment have been irreparably lost.”
  Well, thank goodness the people responsible for the data didn’t get hurt.

Every story about a data leak, regardless of the source (hospital, bank, etc), always seems to contain the same PR spin. “Well, the files are password protected anyway, and the person who stole them probably isn’t even going to notice, and it doesn’t matter because they probably just want to wipe the hard drive and sell the machine anyway, so, no hard feelings, okay? We’re sorry we weren’t adhering to the applicable laws and data protection standards, but this probably isn’t a big deal anyway.”

I understand the desire to try to mitigate the problem and reassure customers that things will “be alright”. But, these arguments are at best wishful thinking and at worst outright lying. If someone’s data could have been compromised, they need to understand the steps they need to take to protect themselves, not be reassured that it’s probably not a big deal.

This entry was posted on Wednesday, June 18th, 2008 at 7:07 pm by Walt Turnes and is filed under data theft. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.