Nationwide laptop theft offers data safety lessons

The theft of a laptop computer from the home of a Nationwide employee has raised questions about how much data staff need to carry on mobile devices and what IT directors can do to protect sensitive information.

Download this free guide

From forensic cyber to encryption: InfoSec17

Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The theft, which occurred over the summer, only came to light this month. A spokesman for the building society said customer data on the password-protected laptop was used for market research.

Phil Cracknell, UK president of the Information Systems Security Association, said that even with a password-protected laptop, it was still possible to remove a drive and install it on another machine to get at the data. The best way to secure data on a laptop is to deploy hard drive encryption, he said.

Another option is for IT security chiefs to determine what data end-users need to carry with them.

David Lacey, a founding member of IT security user group the Jericho Forum, said, "There is a trend today for criminals to infiltrate organisations or to work with people on the inside. This is a growing problembecause all this data is easy to make money out of."

For certain tasks there should be no need for an end-user to carry customer data on a laptop.

Lacey, former chief information security officer at Royal Mail, said, "If you are doing market research, one would have thought that you do not need to know names and addresses."

To perform tasks such as trend and market analysis it is often not necessary to identify individual customers. "If you deal with sensitive personal data, it can be made anonymous by separating the names from the personal information so you cannot identify any individual," Lacey said.

Such a technique is not new to IT departments.

Graham Titterington, principal analyst at Ovum, said, "The 'anonymisation' or 'randomisation' of data has been used in software testing for years."

Beyond making the information anonymous, he suggested that one way that an organisation could protect its data against theft would be to use digital rights management - the technique the recording industry has adopted to prevent MP3 and CD-based music from being ­pirated.

David Lacey's security blog

www.computerweekly.com/blogs/david_lacey