I’m as much a fan of chocolate as one can be without having a problem per se (/me licks evidence off finger tips). Godiva Chocolatier definitely has some wares that I have been known to enjoy from time to time. That taste turned a little bitter in my mouth when I read the announcement that the company made yesterday. It turns out that the company had a laptop stolen. Normally, I shy away from writing about anything like this but, it really flagged a problem that doesn’t seem to be getting better any time soon.
A briefcase was stolen from a rental car that was parked outside a mall where the employee was visiting a Godiva retail store. This really says to me that it was little more than a crime of opportunity. The Godiva staffer notified police and the company as soon as it was apparent that the theft had taken place. The staffer did the right thing. In this instance there was data on the laptop that was stolen had information pertaining to employees. Namely their names, addresses and medical diagnosis for work restrictions. The nougat that got stuck in my teeth in this case was this line from their letter that is being sent to affected employees, "A password is required to log-in to the laptop, but the hard drive was not encrypted."
Now, this is an example and not Godiva specific by any measure. I’m going to go out on a limb and guess that this was a Windows based laptop. Really doesn't matter all that much for the purposes of this discussion. That being said there are no shortage of ways to bypass a password login. Just as one example there is the freely available utility called “ntpasswd” which would allow you to reset the administrator password on the local system. The short story is, if you have physical access to an asset, like a laptop for instance, it is all over but the crying.
I'm concerned that when I read that sort of information in a breach disclosure notice that it provides the reader with a false sense of security. We need to collectively dispense with this sort of syntax.
Time and again we read about laptops being stolen or lost and that these devices contained sensitive information. I get that people need to be able to do their jobs. But, this begs the question. If this information is so important/sensitive then why are these devices not encrypted? This troubles me to no end that this cycle continues to repeat. How do we get off this hamster wheel of pain? I worry that change will only happen on the heels of calamity. Not a moment sooner.
(Image used under CC from EverJean)