A laptop containing the personal information of some 13,000 U.S. residents who filed compensation claims as a result of the Deepwater Horizon oil spill was misplaced by a BP employee. According to a report on eWeek, the laptop was lost on March 1, and contains a spreadsheet that lists the names, addresses, phone numbers, dates of birth and Social Security numbers of the claimants; in short, all the ingredients required to pull off identity fraud.
On his part, BP spokesman Tom Mueller sought to give assurance that the laptop was not targeted for its sensitive data:
There is no evidence that the laptop or data was targeted or that anyone's personal data has in fact been compromised or accessed in any way.
Help your users understand what to do if their personal information has been compromised.
Unfortunately, the words were probably of scant comfort to those affected. For though the laptop was password-protected, the data on its hard disk drive was not encrypted. The latter fact means that accessing the password-protected spreadsheet is as simple as booting up the laptop using a bootable USB flash drive or optical disc to circumvent the Windows password prompt. An alternative method involves directly extracting the data by physically removing the hard disk drive and accessing it from another workstation. For now, BP says it has notified all affected individuals, and has offered them free credit monitoring services with Equifax.
On one level, it is startling to learn that an enterprise like BP has not implemented encryption to protect against data leakages. Instead of using this incident as an excuse to rest on their laurels, however, small- and mid-sized businesses need to take it as a wake-up call to the fact that laptops can be misplaced or stolen anywhere and by anyone.
Indeed, I will confess that I once completely forgot about my laptop bag and walked right off without it after dinner. Well, I was fortunate in that the janitor who took my bag promptly returned it to me when I frantically rushed back. Another anecdote I heard involved a man bringing his new laptop on an overseas work trip. The man apparently put it down at his feet when he sat down for about 10 minutes. He reached out for it upon preparing to move off, only to find that the laptop was already gone.
My point is that misplaced (or stolen) laptops are a phenomenon that affects everyone. In that vein, it can be argued that SMBs have far less resources to deal with the fall-out of any serious data leakages, and should hence make protecting the data on portable computers a priority. To help you along, you might want to read about why SMBs should adopt full-disk encryption. And contrary to misconceptions, implementing the BitLocker tool in Windows is not difficult-read about my 2009 account in "My Experience with BitLocker."
For now, feel free to share your personal anecdotes of lost or stolen laptops in the comments section below (including near misses).