The Mystery of the Lost Notebook

When you send your computers out for service, are you sending out your data as well?

Here's the short version of how this story begins: A couple of weeks ago I spilled coffee into my ThinkPad. Yes, I'm a klutz, and it was all my fault, even though I was stressed out.

Amazingly, the notebook continued to run and most of the keys still worked. I immediately started a full system backup (I use Windows Home Server for this, an outstanding product I recommend highly) and I separately copied the My Documents folder, where I keep all my data, to the server. Luckily for me I also have seven other computers here.

The notebook is about 18 months old, so I called up Lenovo service, which, it seems, is still run by IBM. (This fact alone was immediately reassuring.) The support rep confirmed what I had hoped, that when I bought the notebook I bought the "screw-up" policy that they call the "Lenovo Protection Service." They were going to fix my computer! I'll never again buy a notebook without such a policy. They sent me a shipping box via DHL. I put the notebook in it and shipped it back the next day.

That's when things went wrong, and when I started to think about the security implications of my predicament.

The Set-Up

I had shipped out my notebook without wiping the drive first. Even though I knew I had a full backup, I decided it was not worth it to clear the drive.

In an enterprise things are different; my understanding is that it's common to have a standard policy in large organizations that all such computers are wiped clean. If you don't have such a policy, you should. After all, in a well-managed enterprise, data should rarely be stored solely on a desktop or notebook computer, and reconstructing it on a new drive should be a straightforward process. But I'm a one-man enterprise here and I don't have such facilities.

eWEEK's Ryan Naraine has put together a top 10 list of must-have free security tools. Click here for the slide show.

The package was supposed to go to IBM in Memphis the next day. Instead, the next day DHL's tracking system showed it in Ohio. The day after that it finally got to Memphis ... and was promptly shipped to Nashville. This is when I started calling DHL and asking what &%^$ was going on. Unfortunately, it was Friday and they basically told me nothing would be happening before Monday.

On Monday they admitted that they had a problem and instituted a "dog search" of the warehouse in Nashville, where the package was last seen. My feelings were a mixture of rage and anticipation over what kind of new, high-end notebook I could get out of Lenovo to replace mine.

The Punch Line

Less than an hour after DHL admitted to me that the package was lost, I got a call from IBM to tell me that the notebook was repaired and that I should have it back the next morning. They had replaced both the keyboard and system board. The next morning it did indeed arrive in perfect working order, about a week after I had shipped it out. My respect for Lenovo and IBM remains as strong as my disdain for DHL has become.

Yes, DHL had delivered the notebook but didn't realize the fact. The next day a DHL investigator called once again to tell me that they were still looking for the package, and I filled them in on its location. I still wonder what happened when the package was delivered; surely the box was scanned at that point. What happened to that data?

And it's possible that, while it was "lost," someone imaged my hard drive or broke into it and stole data, but I'm going to assume that didn't happen and that this is a happy ending. From now on I drink my morning coffee from one of those travel cups with a sip-hole in the top.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.