IN ASSOCIATION WITH

 Home -   Events -   Training 

Laptop theft highlights security weakness
20-02-2008
by ElectricNews.Net

The records of over 171,000 Irish blood donors have been compromised following the theft of a laptop from an official in New York on 7 February.

The incident has sparked criticism of the Irish Blood Transfusion Service's (IBTS) data protection procedures by Citrix Chief Security Architect Chris Mayers who said they were "not as good as they should have been".

Mayers was explaining why the loss of 171,324 Irish donor records and 3,294 patient blood-groups during a mugging could have been prevented.

"They did have the basic measure in place which was encryption and it is encouraging. Workers can be placed at risk by merely carrying a laptop with them. Was it really necessary for that person to have a laptop, let alone have the information on them in the first place?" he told ENN.

"If... the worker in question had a terminal available where they could go, they wouldn't need to take a laptop with them," he added. Mayers explained that sensitive data should be kept in a data centre where it can still be accessed remotely but only from secure devices.

In this case, the New York Blood Centre's staff member was in possession of IBTS records as he was involved in a software program upgrade. Mayers pointed out that upgrades of systems can be done with "dummy information" and that this is common practice.

The records stolen include details such as names, addresses, dates of birth, gender, blood groups and contact phone numbers. Mayers explained that this data, if accessed, could be used for identity theft or even blackmail.

However, the IBTS maintained that the chances of this were remote as it had used one of the "the highest levels of security available" to encrypt the information on the laptop.

"The IBTS is very conscious of its obligations under the Data Protection Acts and has always strived to be fully compliant with those obligations. We are writing to each donor affected by this incident to reassure them and to advise them of the possibility, however remote, that their personal data might be accessed," the organisation said in a statement. It has also setup an information line at 1850 731 137.

The theft of this laptop is not an isolated incident. The Irish Times recently reported that 80 government laptops, 19 BlackBerrys and 10 memory keys have been stolen or have gone missing over the past five years.

"All organisations handling sensitive data need to take steps to keep all data 100 percent secure. That means ensuring data is properly encrypted, and travels only when necessary: not on ordinary CDs, print-outs, or even on laptops -- all of which appear to go missing with appalling regularity," said Mayers.

Meanwhile, the Government said on Tuesday that it had ordered a review of data security procedures three months ago, the results of which are not known yet.

Fine Gael's Communications spokesperson Simon Coveney on Wednesday called for a comprehensive security policy to be implemented across all government departments to prevent future data loses. This would include a prohibition on carrying any databases of personal information on mobile devices such as laptops, BlackBerrys and memory keys.

"This is an issue of crucial and growing importance. In the context of the political response to the loss of personal data in the UK, where the details of 25 million people went missing, this is something that needs political priority," said Coveney.

In November 2007 two British Revenue and Customs CDs containing the personal details of 25 million Britons were reported missing and to date have not been found.

By Bryan Collins