To lose a laptop may be regarded as a misfortune. To lose a laptop with 26.5 million IDs, including names, social security numbers and dates of birth, smacks of carelessness.
As the true story of the theft of data at the US Department for Veterans Affairs emerges, IT security professionals around the world will shake their heads in disbelief, and so too will their bosses.
It is bad enough that a civil servant was taking home confidential personal data for three years without permission. It is worse that he was able to remove so much data without triggering a systems alert, let alone arousing suspicion.
But the chain of events that followed the theft of the laptop containing the records is almost beyond comprehension.
When the data theft was reported, it took middle managers 13 days to flag up the scale of the data loss, and a further two days for the FBI to be informed.
It is all a grim reminder that no matter how strong your technical defences, humans remain the weakest link in the IT security chain.
Almost all organisations today have clearly laid down security policies, codes of conduct and procedures to follow in the event of security breaches, but how many of them are ever put to the test?
How many of us can say that IT security policies are regularly spelt out to staff, let alone any check on their application carried out, or punishment for those found to be in breach of them instituted?
It is up to IT leaders to take on this issue – and drag the HR and general security management teams with them if necessary.
If we don’t, not only is the organisation’s data at risk, senior management can quite legitimately question every penny the IT department spends on security technology. After all, what is the point of barring the windows and leaving the doors open?