Laptop and PDA Security

This morning's article on the BBC News website that 11 million customers of the Nationwide Building Society in the UK have had their identities put at risk is a reminder to businesses that laptop and PDA security should be high on their agendas.

A considerable amount of similar data is held on many organisations' laptops and PDAs across the country. Indeed, most laptops are only secured with a password and anyone familiar with the various cracking tools readily available on the Internet will know just how easy it is to gain access to such machines.

Very few firms actually consider encrypting data on their laptops to defend against exactly this sort of scenario, but doing so would mitigate the risk considerably.

Many firms are allowing and even encouraging their staff to carry PDAs (which I do believe is more than appropriate, being something of an advocate for them). However, I am often alarmed at just how few insist that they should even be minimally secured with a simple password and even more alarmed at the poor grasp of the security issues that those that carry them actually have. As a matter of course, PDAs carry names and addresses of individual contacts, which obviously is a data protection issue.

The problem is that it doesn't become an issue until a laptop or PDA is lost or stolen. It is then that the reality dawns about just how bad the situation could be, but by then the damage has already been done.

Although I doubt that the laptop's data was looked at in this case, with the laptop probably being reformatted and sold on by the thief as quickly as possible, it won't be long before criminals start considering the potential value of the data on stolen devices. I suspect we will start to see cases where companies are blackmailed and an accelerating trade in illegally obtained data. Indeed, I am prepared to predict that we will see laptops and PDAs stolen to order because the potential value of the personal banking details of 11 million people is considerably greater and apparently easier to obtain than other items that might traditionally be stolen in a domestic burglary (which according to the BBC was how the Nationwide's laptop was stolen).

It also occurs to me while writing this article that this builds on a theme that seems to be unintentionally developing in this blog concerning the general cavalier attitude that financial institutions seem to have towards their customer's security. (For instance, my article on Bank Fraud in July.) I note from the BBC's article that the Nationwide have taken three months getting around to telling their customers about the incident.

Another alarming factor about the Nationwide case is the sheer number of people that must be affected. 11 million people represents almost one in five of the UK population, which is very close to every household in the country being affected statistically speaking.

Furthermore, I find it staggering that the Nationwide actually allowed an employee to leave their offices with so much data. It would have been considerably more alarming if the data had contained authentication details such as PIN numbers and passwords...

The problem with data like this is that its just another file on the disk - something pretty insignificant to look at in Windows Explorer and easily forgotten about. My experience is that most people have considerable difficulty in remembering what files they do have on their disks, so I am a bit alarmed that this data might not have been the only important things stored on the Nationwide laptop.

One would imagine that banks and building societies take considerable care in securing their customers' data. Indeed, the same level of care that the government might take storing the details on each and everyone of us in the proposed national identity card database.

The casual ease with which this data fell into the wrong hands has important ramifications for us all...