When you send your computers out for service,
are you sending out your data as well?
Here's the short version of how this story begins: A couple of weeks ago I
spilled coffee into my ThinkPad. Yes, I'm a klutz, and it was all my fault,
even though I was stressed out.
Amazingly, the notebook continued to run and most of the keys still worked.
I immediately started a full system backup (I use Windows Home Server for this,
an outstanding product I recommend highly) and I separately copied the My
Documents folder, where I keep all my data, to the server. Luckily for me I
also have seven other computers here.
The notebook is about 18 months old, so I called up Lenovo service, which,
it seems, is still run by IBM. (This fact
alone was immediately reassuring.) The support rep confirmed what I had hoped,
that when I bought the notebook I bought the "screw-up" policy that
they call the "Lenovo Protection Service." They were going to fix my
computer! I'll never again buy a notebook without such a policy. They sent me a
shipping box via DHL. I put the notebook in it and shipped it back the next
That's when things went wrong, and when I started to think about the
security implications of my predicament.
I had shipped out my notebook without wiping the drive first. Even though I
knew I had a full backup, I decided it was not worth it to clear the drive.
In an enterprise things are different; my understanding is that it's common
to have a standard policy in large organizations that all such computers are
wiped clean. If you don't have such a policy, you should. After all, in a
well-managed enterprise, data should rarely be stored solely on a desktop or
notebook computer, and reconstructing it on a new drive should be a
straightforward process. But I'm a one-man enterprise here and I don't have
eWEEK's Ryan Naraine has put together a top 10 list of must-have free security tools. Click here for the slide show.
The package was supposed to go to IBM in Memphis
the next day. Instead, the next day DHL's tracking system showed it in Ohio.
The day after that it finally got to Memphis
... and was promptly shipped to Nashville.
This is when I started calling DHL and asking what &%^$ was going on.
Unfortunately, it was Friday and they basically told me nothing would be
happening before Monday.
On Monday they admitted that they had a problem and instituted a "dog
search" of the warehouse in Nashville,
where the package was last seen. My feelings were a mixture of rage and
anticipation over what kind of new, high-end notebook I could get out of Lenovo
to replace mine.
The Punch Line
Less than an hour after DHL admitted to me that the package was lost, I got
a call from IBM to tell me that the notebook
was repaired and that I should have it back the next morning. They had replaced
both the keyboard and system board. The next morning it did indeed arrive in
perfect working order, about a week after I had shipped it out. My respect for
Lenovo and IBM remains as strong as my
disdain for DHL has become.
Yes, DHL had delivered the notebook but didn't realize the fact. The next day
a DHL investigator called once again to tell me that they were still looking
for the package, and I filled them in on its location. I still wonder what
happened when the package was delivered; surely the box was scanned at that
point. What happened to that data?
And it's possible that, while it was "lost," someone imaged my
hard drive or broke into it and stole data, but I'm going to assume that didn't
happen and that this is a happy ending. From now on I drink my morning coffee
from one of those travel cups with a sip-hole in the top.
Editor Larry Seltzer has worked
in and written about the computer industry since 1983. For insights on
security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry
Seltzer's blog Cheap Hack.