back to article Kids charity hit by server theft

A two-man break in at the London offices of children's charity Plan UK has resulted in theft of five computer servers. Plan UK has stated that while "the likely motive was to steal the equipment itself, rather than the data ... we cannot escape the fact that personal information is also stored on the servers". Explaining what …

  1. alain williams Silver badge

    Encrypt file systems ?

    For a run of the mill office server, encrypting the important file systems should not really slow it down too much. A quick search finds: Ubuntu extra overhead of 5%, others should not be vastly different. Thus acceptable on a modern server that has more CPUs/cores that you know what to do with.

    If you are smart: do not encrypt the file systems needed to get it up & running, then on a reboot you can ssh in and get the encrypted file systems mounted.

    1. Not Terry Wogan

      Re: Encrypt file systems ?

      While this has been brought up, in case anyone might find this useful, I tested Windows Bitlocker personally a couple of years ago and found a similar overhead (actually between 3-5%, IIRC). So: Linux or Windows - it's worth it.

      It's also worth checking that any new workstation or server systems being ordered (for business, at least) have TPM chips fitted.

      1. h4rm0ny

        Re: Encrypt file systems ?

        I had similar results using Bitlocker: a hit of around 3-5%. But it should be noted that this is with a CPU with AES extensions. Some older CPUs wont have hardware support for encryption and in that case the hit is much higher. Worth knowing so people can check in advance.

      2. Anonymous Coward
        Childcatcher

        Re: Encrypt file systems ?

        "It's also worth checking that any new workstation or server systems being ordered (for business, at least) have TPM chips fitted."

        Have you audited them to ensure that the T for "trusted" is justified? No? Hand in your tin foil hat 8)

        Seriously though, how the hell do we know that those things do what we think they do?

  2. Pascal Monett Silver badge

    So, malware isn't the only threat

    Sometimes you can also get hit by regular scum.

    I hope they at least had regular, up-to-date and useable data backups. If so, the only loss will have been material, and I'm sure that's insured.

  3. mordac

    identity theft

    FTFA: It's widely contested whether account numbers and sort codes are enough to result in theft.

    Probably not since it's printed on the bottom of every cheque...

    1. Anonymous Coward
      Anonymous Coward

      Re: identity theft

      But I tend not to write cheques to people in Nigeria.

      And you can set up a direct debit using one.

      1. Not Terry Wogan

        Re: identity theft

        Yes - I've had someone set up a fraudulent direct debit before with just my account number and sort code.

    2. jonathanb Silver badge

      Re: identity theft

      Someone set up a Talk Talk direct debit on my account, no idea where they got the details from as its not an bank account I use very often.

      I did have a lineone account many years ago, that's now part of Talk Talk, but that was back in the days when you paid 2p per minute on your phone bill for access and the telephone company passed on some of that to the ISP, so they never had my bank details.

  4. BenBell

    Thats novel

    ...normally, we hear about Data Breeches, not someone actually lifting-n-shifting servers.

    This is exactly Why I BitLocker all servers I build/deploy. While it adds an overhead, the price of 15k disks and a couple of extra cores is nothing compared to potential backlash of having unencrypted customer data stolen.

    1. HieronymusBloggs

      Re: Thats novel

      "...normally, we hear about Data Breeches"

      Oops, wrong trousers.

      1. Doctor Syntax Silver badge

        Re: Thats novel

        "Oops, wrong trousers."

        Not necessarily. Wearable tech seems to be popular these days. Or maybe just a few USB drives in the pockets.

    2. Vic

      Re: Thats novel

      not someone actually lifting-n-shifting servers.

      It happened to us at ST many years ago. Some thieves smashed through into the sever room and stole a bunch of Sun servers. Although all the data was for a secret project, it was believed that the theft was purely for the hardware.

      I inadvertently foiled the first attempt - the thieves came barrelling into the car park just as I was leaving, nearly smashing into the front of my car. But they came back for another go later...

      Vic.

  5. Your alien overlord - fear me

    If they can still write to all their patrons, the names and addresses must have been stored somewhere else. An organisation doing backups per chance?

  6. Anonymous Coward
    Anonymous Coward

    Is that it??

    "supporter names, addresses, emails, as well as bank account and sort code numbers"

    That's all that was lost, apparently. Five servers suggests a lot more info than that - what else was compromised? Or did they just have way more hardware than they knew what to do with?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is that it??

      One was a print server...?

      1. Anonymous C0ward

        Re: Is that it??

        In which case the logs on it could provide all sorts of juicy confidential info. Or just memos about the next staff meeting.

    2. John Tserkezis

      Re: Is that it??

      "Or did they just have way more hardware than they knew what to do with?"

      That's most likely the case.

      I was doing some third party IT work for a charity organisation, and noticed all their workstations had more ram than anyone else (even a multi billion dollar bank that's our client), more than what they needed.

      They only had one server, however, they picked the best of the best of everything, the server was rack mount, when a tower in the same class and brand would have done the job. The raid controller was battery backed, just in case the server lost power, it would restore outstanding data at next power up.

      And a rack mount UPS, and a pull-out tray for the server keyboard, mouse and monitor.

      It was a whole lot more than what they needed. So I asked our people. Turns out, they're legislated on how much they can ask in donations in any given month, based on the previous month's spend. So, if they have a quiet month, they won't be able to ask for as much the next month.

      Easy fix: Burn up extra cash on computer equipment and other fancy crap. You don't get lean months too often, but often enough you can see they spend in splurges like that.

  7. Paratrooping Parrot
    Coat

    "The Register contacted Plus UK to enquire about its security practices. We have not received a response as of publication."

    Maybe if you contacted Plan UK, you would have a better chance. ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like