A recent Sunday Tribune article has brought to light a number of security breaches in both the Department of Foreign Affairs and also the Office of the Revenue Commissioners. These follows on foot of earlier disclosures of other breaches in the civil service which can I Blogged about here and here. This time the breaches relate to a number of laptops that were stolen.
A spokesperson for the Office of the Revenue Commissioners informed the Sunday Tribune that the laptops are password protected which should protect any sensitive data that may be on those laptops.
So we can all sleep safe at night knowing that our personal tax details if stored on a Revenue laptop will remain safe because the laptop is password protected. I don’t think so! At the very least I am sure these laptops would contain copies of email files used by their staff which in itself could contain sensitive information.
We must ask the following questions;
Why does the Office of the Revenue Commissioners not know what data is held on the laptops?
If the Office of the Revenue Commissioners does not know where sensitive data is stored how can it be confident that it is securing it?
If the Office of the Revenue Commissioners cannot say whether or not sensitive information is not on these laptops, does that mean they do not know where such information is being held. As per my previous post are controls in place to ensure only authorised people access the appropriate level of information from authorised devices? Are controls in place to prevent authorised personnel copying information onto unauthorised devices?
What other information could be at risk? Did the staff that used these laptops use a VPN to connect back into the Revenue’s network? If so what steps have Revenue taken to ensure that these laptops cannot be used to now access that network?
Why are these laptops not encrypted? Standard good practise is that any device such as a laptop which will end up holding data should be encrypted. Relying on Windows passwords is not good enough anymore. Simply booting the laptop with a Linux CD will allow full access to the data.
Was the data on these laptops backed up?
If your organisation has laptops for mobile workers how confident are you that none of them contain information that could compromise sensitive data in your care or compromise your network?
Also consider setting up one or two laptops that contain no data but can be simply used by staff when they need to work offsite or give a presentation. When finished the laptop is returned to IT and could simply be re-imaged to make it available for the next user.