SMEs urged to encrypt data after BP loses laptop with claimants’ details

Businesses are being warned to encrypt the hard drives on their laptops and install comprehensive security measures after a portable computer lost by a BP employee revealed the data of more than 13,000 people who were affected by last year’s Gulf of Mexico oil spill.

The security scare comes just days after US giant RSA security announced that it had uncovered evidence that outsiders had accessed some elements of its system, issuing a warning to the hundreds of companies using its cryptographic tokens – including many in Australia.

BP announced that it sent letters on Monday to over 13,000 residents of the state of Louisiana, saying that a laptop containing their information had been lost. It offered to pay for services monitoring their credit ratings to insure no permanent damage would be made.

BP spokesperson Curtis Thomas told the Associated Press that the data included a spreadsheet of names, phone numbers and social security details.

“We’re committed to the people of the Gulf Coast states affected by the Deepwater Horizon accident and spill, and we deeply regret that this occurred,” he said.

The laptop was lost during “routine business travel”, but the company says it doesn’t have any indication the data has been misused.

But BP told the Associated Press that the information contained in the laptop was not encrypted – a security practice that AVG security evangelist Lloyd Borrett says should be implemented in every private sector computer.

“You need a full suite of security if you’re using a laptop, because you’re connecting to different places with WiFI networks and so on, such as hotels, and at home, etc. You want to make sure you have top security on your machine.”

“Personally, I encrypt my hard drives using an open source program, which provides a 20+ character long password. If my machine falls into anyone’s hands they can’t get very far with it.”

Borrett wrote a blog post last week that companies need to encrypt absolutely “everything”.

“For some organisations, the best option to protect laptops from the majority of loss or theft scenarios might be a combination of encryption methods. For most laptops, full disk encryption (FDE) or pre-encrypted drives are the best and simplest approaches,” he wrote.

He points to programs such as TrueCrypt which are free, and are able to encrypt data without much expertise required by the user.

“You can actually get some complicated set-ups where you have a plausible denial scenario. You can have an encryption software that allows someone to login with a password, but only displays certain information and not all of it.”

He also warns that users need to password protect everything, and also says that if laptops are shared by more than one employee, “files or content may need to be encrypted instead of the entire drive”.

Finally, he says businesses need to start thinking about using cloud technologies to access data rather than storing it on machines, where it can easily be stolen.

“The other aspect of this is that if you lost a laptop, it doesn’t matter overall because you still have your data. There are plenty of services like Carbonite and DropBox that come into play there.”

“It’s just amazing how some companies don’t have security systems and their laptops aren’t even set up with login screens. That means anyone who turns it on can just access everything.”

Sophos security head of technology Asia-Pacific Paul Ducklin also said in a statement the sobering part of the incident is that the unencrypted laptop was lost or stolen during business travel.

“Even in countries like Australia, where security breaches can simply be swept under the carpet thanks to the lack of mandatory disclosure laws. As far as I’m concerned, you have a clear moral duty not to take risks with data you keep about other people.”