BP in troubled waters over Gulf oil spill data spill

Filed Under: Data loss, Law & order, Privacy

US National Public Radio (NPR) reports today that BP's Gulf oil spill woes - which already include paying out compensation amounting to a whopping $4,000,000,000 - have been worsened by a data spill.

Ironically, the lost data includes personally identifiable information (PII) about some 13,000 oil spill compensation claimants.

NPR reports that names, addresses, phone numbers and social security numbers - a key aspect of personal identity in the USA - were amongst the data lost.

The sobering part of this regrettable incident is that it happened because a single laptop was lost or stolen "during routine business travel". And laptops are easy to lose - back in 2008, we wrote about a survey which found that 12,000 laptops are lost every week at US airports alone.

(Re-read those numbers above. When I first saw them in print, I misread the figure as "12,000 laptops lost per year", which sounded bad enough. It took a while before I realised that the rate was per week - 50 times higher than the number that had already got me worried!)

Back in that 2008 survey, almost three years ago now, 53% of people said that their laptops contained confidential business information, with two thirds having taken no measures to secure their data. Clearly, some companies still aren't taking appropriate measures.

We all need to lift our game, even in countries like Australia, and much of the rest of Asia Pacific, where security breaches can simply be swept under the carpet thanks to the lack of mandatory disclosure laws.

Even if you're the sort of organisation which is willing to take risks with your own data - sales forecasts, trade secrets, and that sort of thing - you have a clear moral duty not to take risks with data you keep about other people.

Unfortunately, in those parts of the world where encryption and mandatory disclosure are not enforced by law, many sysdamins are being squeezed by budgetary pressures to do as little as possible about encryption-related security.

I'm not sure I understand that sort of economy. Surely your customers (or students, constituents, clients - whatever you call them in your sector) will value your service much more strongly if you can show that you are willing to do what's right and safe with their data?

Why not consider the value of encryption to your business, instead of considering only the cost?

(To protect data on your own computers, especially if you intend to back it up or want to share it securely with friends on the web or via email, why not pick up a copy of Sophos Free Encryption for Windows today? Direct download - no registration required.)

,

You might like

7 Responses to BP in troubled waters over Gulf oil spill data spill

  1. Toby · 1305 days ago

    Thanks for the note to re-read the numbers - I thought actually the same. 12'000 a year, which you stated right is bad enough. But 12'000 laptops a single week is just not imaginable.

    Eventhough the survey was back in 2008 I really don't think the numbers changed after all :-(

  2. Cyber_Secs · 1305 days ago

    Duck where does it say that this lappy was unencrypted?

    • Paul Ducklin · 1305 days ago

      That's according to NPR, which quoted a BP spokesperson - see the link at the top of the article - thus:

      "BP spokesman Curtis Thomas said...[t]he laptop was password-protected, but the information was not encrypted."

    • Pedant · 1305 days ago

      In the article he links to in the first line.
      "The laptop was password-protected, but the information was not encrypted"

  3. Richard Wall · 1305 days ago

    There are so many free encryption technologies available today anyway that are pretty reliable. Like True crypt, budget restraints inst really an excuse.

  4. Daniel J Hadfield · 1303 days ago

    How on Earth do people lose so many laptops? Do these people lose that many wallets/keys aswell?

    Laptops are big bulky things, theyre easy to notice that you don't have it anymore.

  5. Thanks for every other great post. Where else may anyone get that kind of information in such an ideal approach of writing? I've a presentation next week, and I am at the search for such info.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog