Exclusive: Laptop thefts pose gov data risk

A Freedom of Information enquiry by silicon.com has uncovered the number of laptops stolen from key UK government departments over the past year, raising questions and concerns about sensitive data falling into the wrong hands.

The worst affected department was the Ministry of Defence. It reported 21 laptops were stolen between July 2005 and July 2006.

The Home Office in total suffered 19 stolen laptops over the past year. Perhaps most worrying among those losses were four laptops stolen from the Identity and Passport Service. The Core Home Office unit suffered seven stolen laptops, while HM Prison Service had eight laptops stolen.

The Department of Trade and Industry told silicon.com it had 16 laptops stolen over the past year, while the Department for Work and Pensions reported it had nine laptops stolen. The Department of Health said it had lost 18 laptops, though couldn't clarify whether these were lost or stolen.

A submission from Defra, which lost 17 laptops, suggested government laptops are predominantly given out to senior members of staff at the departments. These are individuals in some cases likely to have access to the most sensitive information. The rural affairs agency named all staff who had lost laptops, including a number of senior managers and heads of division.

Further reading…

♦ Leader: Missing laptops and lazy risk management
♦ Mobile phones leak from UK government

Experts who work with organisations to assess the level of risk they face following the loss or theft of laptops, have told silicon.com the fact these laptops are at large could present a serious risk of data theft, which should concern UK citizens.

Bryan Sartin, VP investigative response at CyberTrust, said laptops are the number one source of data theft across organisations largely due to the fact the owners have already done the hard part - taking data outside the four walls and the protected digital perimeter of the organisation.

He said any organisation that accesses sensitive information should consider itself a target.

Once the laptop has fallen into the wrong hands, getting into it and accessing sensitive data is relatively easy, according to Peter Wood, from penetration testing company First Base Technologies.

Wood said 90 per cent of stolen laptops are probably accessible within 10 minutes and even many of those with more sophisticated levels of encryption can still be accessed within three hours.

He added: "We see laptops with supposedly stronger security in place, such as smartcard authentication, but these are still trivially easy to overcome.

silicon.com Public Sector

Get the latest public sector news straight to your inbox. Sign up for the PS newsletter today!

"And once you are onto the laptop it is possible to get all the passwords and use those credentials to access the VPN. You can own the laptop within 10 minutes and own the network shortly after."

Only those laptops with full disk encryption will thwart dedicated data thieves, said Wood.

And many doubt government departments will have levels of sophisticated security in place which even more advanced private sector organisations have been slow to adopt.