Repitiion
Why the repetition on the quote in the article?
London-based payment processing firm GoCardless is warning customers that their personal information might have been exposed following the theft of 19 laptops from its offices last month. The "password protected" (not encrypted) laptops contained a file with customer personal data including email address, passport number, date …
"There is a very low risk that this burglary will affect you as none of your financial data was involved, all the laptops were password protected, there is no firm evidence that any of the data was available on any stolen laptop"
How do they know there is a very low risk, not a very high risk. They don't, weasly bastards.
Laptops were password protected. Without full disk encryption even an idiot like me can recover files with physical access. Weasly bastards.
No firm evidence that any of the data was available on any stolen laptop, I guess they just haven't got a fucking clue what was on the laptops. Weasly bastards.
I'm not sure I could construct a single paragraph with so much crap in it.
I've never heard of this bunch of cowboys before, but I have now. Thanks El Reg.
Wow. Okay, breathe.
What they are saying is that some bastards broke in stole a lot of electronic shiny; so they believe that it was a bunch of scrotes looking for crap to pawn, and not professionals who could retrieve and sell the personal data on the laptops. And because they were password protected, the aforementioned scrotes will likely just wipe the laptops rather than try to get the personal information out of the data files (presumably a proprietary format).
"Are you even vaguely familiar with data protection regulations?"
I am. And they say nothing that would support your case. Only the precautions must be taken. Physical security is a perfectly reasonable precaution. One that works well for huge numbers of medical professionals dealing with much more sensitive data than this.
"On average the time before they are recognized, separated and go their own special way is 2-3 minutes. Even binmen"
You know what, the bin men (and woman) at our local tip are experts in separating all sorts of recyclable materials. It's their job and they are very good at it. Able to tell a LaserJet from an inkjet at 50m. Or a pine wardrobe from a chipboard one. I imagine that they do separate hard drives from metal or other electricals with no malicious intent. They're also quite hot at stopping attempts to steal said hard drives from the tip by locking them away.
@ Adam 52
They're also quite hot at stopping attempts to steal said hard drives from the tip by locking them away.
Oh, definitely - because they are recycled at a premium. They are resold. This is in violation of electrical recycling regs which actually prohibit the resale of electricals from a domestic refuse site. The food chain which which feeds on the resale usually contains one or more persons which check them for interesting data. This has been tested (not by me, too lazy to dig out the actual FULLD mail from a couple of years ago) by using data containing spamtrap addresses and putting them on the drives.
No, I do not work for them. Admittedly, as a Yank, I am not entirely up to speed on EU/UK Data Protection Laws.
I also was not holding GoCardless free of blame, I was translating the "Weasel Words" into non-corporate speech, and adding inferences about why they felt the risk to customers was very small.
The "Okay, breathe" comment was in regards to the anger at a company that you had no connection with, exemplified by referring to them as "weasly bastards" several times. Had they lost your info and said "suck it up" then your rant would have been justified. As is, dude, take a breath.
so they believe that it was a bunch of scrotes looking for crap to pawn,
Try bringing a few enterprise class hard drives to your friendly local skip. Leave them next to the electronics dump, not throw inside. Watch.
On average the time before they are recognized, separated and go their own special way is 2-3 minutes. Even binmen know what they are dealing with and there is a jolly market going on where they are checked if there is anything interesting on them before they are resold on eBay. The same will most likely happen to the laptops. The people who stole them will not bother recovering the data. The food chain which fences them will do that for sure. 100% guaranteed.
In any case, not having full disk encryption for a company is criminal. Even my kids laptops are full-disk encrypted (after an incident where junior forgot his HP on a BA flight).
I got an email this afternoon from gocardless as I am a customer. The subject was 'Gocardless Security Update' - hardly something to grab your attention relating to a security breech. I nearly ignored it.
Odd thing is the email was totally different, less alarming and didn't mention the free monitoring. As you will see there wasn't much to worry about, but reading the email on the register I would have been worried particularly as today for the first time ever I got a very convincing phishing email with my full name and home postcode used.
"We wanted to let you know that on the 7 January 2017, our premises were the victim of a burglary which affected our office and another company in the building. Despite CCTV surveillance, locked doors, and a 24/7 security guard, nineteen password protected GoCardless staff laptops were stolen.
All of our payment processing systems are secure, remain uncompromised and were unaffected by the burglary. There has been no impact on our day to day business and we continue to process payments as normal.
We have already informed the police, the Financial Conduct Authority and the Information Commissioner's Office of this burglary. We have also conducted an exhaustive internal investigation so that we can communicate to you any potential risks from this burglary.
Our investigation has concluded that the stolen laptops may contain a file with the name and email address of the person that signed up to GoCardless. No other personal data was in this file.
There is a very low risk that this burglary will affect you as this data has extremely limited use, there is no firm evidence that any of the data was available on any stolen laptop, and the burglars appear to have been targeting high value electronics rather than our data. However, we believe in transparency and so wanted to inform you of this burglary anyway.
We apologise for any concern or uncertainty this may cause."
"I got an email this afternoon from gocardless as I am a customer.
[...]
Odd thing is the email was totally different, less alarming and didn't mention the free monitoring. "
I got a different version of the email again - even less alarming than yours; the first three paragraphs were the same as yours, then where yours mentions the file, mine says:
"Our investigation has concluded that none of your data or your customers’ data was affected by this theft. However we believe in transparency and so wanted to inform you of this burglary anyway."
Then finishes with the same apology, and another sentence offering an email address to get in touch.
ISTM they've simply sent out a different email to different customers depending on how they're potentially affected; no data relating to me, name and email address for you, shit like passport number etc for whoever received the version in the El Reg article - and that's why that one gets the free monitoring.
shouldn't have been on any laptop.
OK nothing is perfect... swap space, temp files, hibernation file etc., etc. There are many ways that sensitive data can make its way onto and be recovered from a laptop drive or indeed any PC/tablet/phone etc.
The point is that if you have hardware that reads sensitive data the file system should be encrypted. And any place where the data could be stored during use should be zeroed/shredded at shut down.
Yes I am paranoid.
If they use a laptop as a secured server, then the above is moot.
Indeed. The fact that it was pretty much excludes the company from the "enterprise" category of people to deal with. But you do need some flexible IT. Give people sandpits so they can put together a linux box to process data if they want to. Just don't do it on laptops.
It is actually pretty desirable for the employees too. Give them a thin, light laptop with some attached big screens and put the data on another box which is less nickable. Then the full drive encryption on laptops becomes less of a hazard, because there's no important data there anyway. It doesn't have to be perfect, it just has to be too hard to be worthwhile.
This is an example of why you apply disk encryption to not only your laptops but your desktops as well. Burglars will take both, and users do like to dump files locally.
Servers may also require disk encryption if they're stored in a cupboard like many small businesses.
Apologies for pointing out the blindingly obvious, but common sense really isn't that common.
Gobsmacked at lack of data security and naivety over laptop passwords....
I'm small user of their service, which I like, so shame they learning this the hard way.....I've asked if they getting hope someone in to overhaul their security. I dare say their blue chip list of clients will be giving them the 3rd degree.....
Am still able to login so doesn't look like they have suspended site as mentioned elsewhere....
In their favour, at least they have been very quick to notify users.
I emailed asking for details of the ID monitoring service as not mentioned in their email yesterday....
I hope they learn and progress as a good service otherwise.