Nationwide laptop theft offers data safety lessons

The theft of a laptop computer from the home of a Nationwide employee has raised questions about how much data staff need to carry on mobile devices and what IT directors can do to protect sensitive information.

Warwick Ashford, Senior analyst

Published: 23 Nov 2006 0:00

The theft of a laptop computer from the home of a Nationwide employee has raised questions about how much data staff need to carry on mobile devices and what IT directors can do to protect sensitive information.

The theft, which occurred over the summer, only came to light this month. A spokesman for the building society said customer data on the password-protected laptop was used for market research.

Phil Cracknell, UK president of the Information Systems Security Association, said that even with a password-protected laptop, it was still possible to remove a drive and install it on another machine to get at the data. The best way to secure data on a laptop is to deploy hard drive encryption, he said.

Another option is for IT security chiefs to determine what data end-users need to carry with them.

David Lacey, a founding member of IT security user group the Jericho Forum, said, "There is a trend today for criminals to infiltrate organisations or to work with people on the inside. This is a growing problembecause all this data is easy to make money out of."

For certain tasks there should be no need for an end-user to carry customer data on a laptop.

Lacey, former chief information security officer at Royal Mail, said, "If you are doing market research, one would have thought that you do not need to know names and addresses."

To perform tasks such as trend and market analysis it is often not necessary to identify individual customers. "If you deal with sensitive personal data, it can be made anonymous by separating the names from the personal information so you cannot identify any individual," Lacey said.

Such a technique is not new to IT departments.

Graham Titterington, principal analyst at Ovum, said, "The 'anonymisation' or 'randomisation' of data has been used in software testing for years."

Beyond making the information anonymous, he suggested that one way that an organisation could protect its data against theft would be to use digital rights management - the technique the recording industry has adopted to prevent MP3 and CD-based music from being pirated.

David Lacey's security blog

www.computerweekly.com/blogs/david_lacey

Comment on this article: computer.weekly@rbi.co.uk

Nationwide laptop theft offers data safety lessons

The theft of a laptop computer from the home of a Nationwide employee has raised questions about how much data staff need to carry on mobile devices and what IT directors can do to protect sensitive information.

Read more on IT risk management

Glasgow City Council slammed for losing 700 computers

Half of education institutions victims of mobile IT theft

The top five SME security challenges

VeriSign employee data exposed in laptop theft

SearchCIO

Racial, gender diversity in tech improving at a glacial pace

The future of trust must be built on data transparency

What are the advantages and disadvantages of RPA?

SearchSecurity

McAfee sells off enterprise business for $4 billion

Rebuild security and compliance foundations with automation

Microsoft makes passwordless push in Azure Active Directory

SearchNetworking

Will enterprises adopt SONiC OS and disrupt proprietary WAN?

Enterprise edge is telecom operators' new frontier

NOC performance metrics for optimal operation

SearchDataCenter

CRAC design upgrades simplify HVAC maintenance

IBM leans on Red Hat to adapt Power servers for hybrid cloud

Private cloud certificates to build up your tech skills

SearchDataManagement

Oracle Database 21c looks for adoption of blockchain tables

Yugabyte raises $48M to build out distributed SQL database

What is a data warehouse analyst?