Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Networking
    • PC Hardware

    Forrester Loses Laptop Containing Personnel Data

    By
    Lisa Vaas
    -
    December 5, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Thieves stole a laptop from the home of a Forrester Research employee during the week of Nov. 26, potentially exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and directors, the company said in a letter mailed to those affected on Dec. 3.

      Forrester “Chief People Officer” Elizabeth Lemons said in the letter that the hard drive is password-protected but made no mention of encryption.

      The laptop contained records pertaining to those who have received grants of Forrester stock options or who have participated in the research firm’s Employee Stock Purchase Plan, according to the letter. Those who have done contractual work for the consultancy, but who haven’t participated in either stock plan, also appear to be affected.

      The incident appears to be a clear case of, “Do as I say, not as I do.” Besides the irony of a technology consultancy that apparently does not encrypt sensitive data on employee laptops, the office of Forrester’s “chief people officer” apparently had not informed the firm’s media staff of the incident before sending out the letter.

      When eWEEK contacted Forrester’s press hotline on Dec. 5, a staffer said that this was the first she had heard of the incident.

      As such, the media relations staff was not prepared with an incidence response plan. In these days of multiple weekly high-profile data breaches in the news, consultants routinely warn firms of the importance of encrypting portable data devices such as memory sticks, PDAs and laptops.

      They also encourage organizations to lay out incidence response plans that detail a chain of command to ensure that the right executive is informed, that public relations staff are devoted to incidence response and that the proper authorities have been notified, among other things.

      The idea that password protection actually protects laptop data is one that’s laughed out of the room by security professionals. “Anybody with a relative clue, or at least a copy of Knoppix or F.I.R.E. [data recovery tools], could potentially bypass security measures implemented on lost or stolen drives. Period,” wrote data breach experts at Attrition.org, a volunteer-run site that keeps a running list of data breaches relied on by organizations including Privacy Rights Clearinghouse.

      “Unless data on a drive is encrypted with a key either unknown or inaccessible to an intruder, that data is open to compromise,” Attrition said in a February posting that followed the recovery of a lost VA laptop.

      Click here to get the Lowdown on Laptop Security from Ziff Davis Enterprise Research.

      “We won’t even go into cracking AES256 or 3DES here; for the most part, such measures are impractical. Cracking algorithms over 128-bit is possible, but only with a lot of time and/or firepower. However, shoving a CD in the machine, rebooting and typing: ‘# mount /dev/hda1 /tmp/stolen_info/ # cd /tmp/stolen_info/ # ls -la’ is not that difficult and it makes all of that ‘password-protected’ data quite readable, even for a casual computer user.

      “If the person who stole the laptop were to remove the drive and perform a bit-by-bit copy, they would circumvent any password protection on the computer. Remember, BIOS and Operating System passwords rely on the computer and OS to boot up. If you remove the drive, neither will offer any level of protection and are completely worthless.”

      A volunteer for Attrition who goes by the online name “Lyger” told eWEEK that Forrester’s notification letter to those affected “should be of little comfort,” given that Forrester didn’t divulge whether the laptop’s hard drive was encrypted.

      At any rate, it may be ironic, but Forrester’s dilemma is far from unique. A former analyst for a defunct technology consultancy wasn’t surprised to learn the details behind the breach. “When I was at Meta, we didn’t do anything in our back office that we preached to others,” he said. “It is symptomatic of all businesses. They really don’t pay any attention to their own employees when warned of something wrong.”

      .Gov site reinfested due to hosting provider sloppiness. Click here to read more.

      Forrester finds itself in good company when it comes to lost laptops. According to a recent study from the Ponemon Institute, lost and stolen laptops and mobile devices rank as the most frequent cause of a data breach:

      Almost half (49 percent) of data breaches in a 2007 study were due to lost or stolen laptops or other devices such as USB flash drives. That finding has been consistent throughout the years, Larry Ponemon, chairman and founder of the Ponemon Institute, told eWEEK when the study was released last week.

      Forrester has reported the theft to the local police department and the Middlesex County District Attorney’s Office in Massachusetts. Lemons said in the Forrester letter that the theft is an “isolated incident” and does not involve a breach of network security.

      Forrester is providing those affected—excepting residents of New York, due to what Forrester said are state laws restricting the practice—with a full year of credit monitoring, including $25,000 identity theft insurance.

      Forrester was not able to provide input for this article by the time it posted.

      Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×