By Will Sturgeon, 3 August 2006 11:35
NEWS
A Freedom of Information enquiry by silicon.com has uncovered the number of laptops stolen from key UK government departments over the past year, raising questions and concerns about sensitive data falling into the wrong hands.
The worst affected department was the Ministry of Defence. It reported 21 laptops were stolen between July 2005 and July 2006.
The Home Office in total suffered 19 stolen laptops over the past year. Perhaps most worrying among those losses were four laptops stolen from the Identity and Passport Service. The Core Home Office unit suffered seven stolen laptops, while HM Prison Service had eight laptops stolen.
The Department of Trade and Industry told silicon.com it had 16 laptops stolen over the past year, while the Department for Work and Pensions reported it had nine laptops stolen. The Department of Health said it had lost 18 laptops, though couldn't clarify whether these were lost or stolen.
A submission from Defra, which lost 17 laptops, suggested government laptops are predominantly given out to senior members of staff at the departments. These are individuals in some cases likely to have access to the most sensitive information. The rural affairs agency named all staff who had lost laptops, including a number of senior managers and heads of division.
Further readingÂ…
♦ Leader: Missing laptops and lazy risk management
♦ Mobile phones leak from UK government
Experts who work with organisations to assess the level of risk they face following the loss or theft of laptops, have told silicon.com the fact these laptops are at large could present a serious risk of data theft, which should concern UK citizens.
Bryan Sartin, VP investigative response at CyberTrust, said laptops are the number one source of data theft across organisations largely due to the fact the owners have already done the hard part - taking data outside the four walls and the protected digital perimeter of the organisation.
He said any organisation that accesses sensitive information should consider itself a target.
Once the laptop has fallen into the wrong hands, getting into it and accessing sensitive data is relatively easy, according to Peter Wood, from penetration testing company First Base Technologies.
Wood said 90 per cent of stolen laptops are probably accessible within 10 minutes and even many of those with more sophisticated levels of encryption can still be accessed within three hours.
He added: "We see laptops with supposedly stronger security in place, such as smartcard authentication, but these are still trivially easy to overcome.
silicon.com Public Sector
Get the latest public sector news straight to your inbox. Sign up for the PS newsletter today!
"And once you are onto the laptop it is possible to get all the passwords and use those credentials to access the VPN. You can own the laptop within 10 minutes and own the network shortly after."
Only those laptops with full disk encryption will thwart dedicated data thieves, said Wood.
And many doubt government departments will have levels of sophisticated security in place which even more advanced private sector organisations have been slow to adopt.
Comments
There are 5 comments. Join the discussion
1. Robert Machin
A growing threat must also be the use of PDAs and smartphones, often carrying copies of sensitive mails, personal and business data and so on - easier to lose than a laptop and, typically, even more vulnerable to access.
2. Amy
The Bush Administration announced on 26 June that all laptops belonging to Government departments and agencies must be encrypted. When will our government learn the lesson? It seems that multiple instances of laptop theft are not enough, so what will it take?
3. Graham Coles
'and even many of those with more sophisticated levels of encryption can still be accessed within three hours.'
What kind of lame encryption are these muppets using?
I wonder how quickly this data would be compromised if they used freely available open-source software like truecrypt.
If I need to keep sensitive data on a windows machine, I usually create a truecrypt volume using a somewhat paranoid three ciphers and keyed from a combination of complex passphrase and a randomly generated file on a usb stick. If the laptop is compromised, the data is worthless. What rubbish are these idiots using, password protected word and excel documents?
It's good to know that the passport and identity agency are going to such trivial lengths to protect highly confidential data while those idiots in government attempt to persuade a population that doesn't want ID cards that their personal data will be 100% safe from improper access on their systems ...
4. Chris Goodman
I am doubtful if there is really a requirement, other than personal convenience and status, for that many laptops provided in the public service. In this day of networking it seems to me that only where true mobility is needed where no desktop is available should consideration be given to public funded laptops.
I further feel that where there is a loss of laptop, then the individual responsible for it's security should, without the option of a write off, be debited with the cost of producing a NEW replacement as well as being disciplined.
5. anonymous
The answer to 'what kind of encryption' is that the writers of the article don't know, (or don't care to know) because if they did then there would be no 'Exclusive:' story.
Under FOI they could easily have found out that the laptop data was protected. "Only those laptops with full disk encryption will thwart dedicated data thieves, said Wood." - that's why it is standard on government laptops.