Once, Twice, Three Times A Loser... Wait, Make That Four

from the when-you're-in-a-hole-stop-digging dept

Last November, we wondered exactly why a Boeing employee was carrying around a laptop containing the names, birth dates, Social Security numbers and bank account info of 161,000 thousand current and former employees. That laptop was, of course, stolen. That breach didn't seem to teach the company anything, as five months later, another laptop was stolen, though it had info on "only" 3,600 workers. Another one was stolen from an employee's home last month, containing info on 762 people. But, in a remarkable show of stupidity hardheadedness, Boeing says a laptop containing the information of a staggering 382,000 current and former employees was stolen from an employee's car earlier this month. It's hard to know where to start here, but obviously Boeing deserves a lot of criticism for allowing this to happen three times, which is just ridiculous. It's still completely unclear why an employee needs to be carrying this sort of information around, but even more mind-boggling is after being bitten the first time, Boeing didn't put a stop to it. More perplexing still is why the company allowed it to go on after the second incident -- or the third. The company says it will make the standard offer of credit monitoring for three years to those whose data was lost, which really means little. Boeing's repeated loss of personal information once again highlights how little motivation companies have to protect this information, given the lack of liability they apparently enjoy and the toothless punishments they receive (if any) for the leaks. Above all, the fundamental question remains: what good reason is there for a company to allow this sort of information to be carried around on a laptop, given the obvious risk such activity invites? Boeing, we're all ears.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Unknowledgeable Geek, 13 Dec 2006 @ 11:24am

    Can't Understand

    If you can't understand why and employee would have information concerning the companies employees you have never had a HR department or an Accounting department at you place of business.

    This information is necessary for the Accounting staff to pay employees, file taxes, etc. If you don't understand this, please attend a ACT 101 class.

    Now this information leaving company grounds. If you have ever worked for a small company (which Boeing is not, I understand that) that usefullness of HR and Accouting is high, but the ability to afford one full time, this usually isn't possible. Thus, these employees work only 1 or 2 days a week and yes sometimes from home. Oh my god, employees in the US work from home. If they are working from home, what information are the going to use to work?

    Now, to say that that sucks when a laptop gets stolen, this is true. To say it sucks more when the laptop has ID info on it, i can agree with that as well. But to say you don't understand why people would have that info on their computers, i don't agree.

    link to this | view in chronology ]

    • identicon
      Adam, 13 Dec 2006 @ 11:35am

      Re: Can't Understand

      If Boeing can't keep from having laptops from being stolen, then it needs to rethink how sensitive data is accessed. I am quite familiar with HR & Accounting. Are you familiar with "VPN" ? So that employes can access and work on sensitive data from home, without it leaving the corporation? Read,write, and save changes to the files, but leave 'em on the file shares. OR.... have that info at lease reside on desktops, and have employees access those desktops via remote access, but again, leaving the sensitive data OFF the laptops. Adam

      link to this | view in chronology ]

      • identicon
        Unknowledgeable Geek, 13 Dec 2006 @ 11:41am

        Re: Re: Can't Understand

        Are you familiar with VPN?

        How many programs out there can gather information from a VPN connection, too many to count. So yes, VPN would be more secure, but still not fool proof.

        I will give you VPN and remote desktop.

        But you must concede the VPN and Remote Desktop only work with decent high speed connections. In a large part of America this is not possible.

        If these files are on the personal laptops, i don't see why it just wouldn't be easier to password protect the file. Which might be the case anyway, but who knows facts.

        link to this | view in chronology ]

        • identicon
          A Dial-Up User, 13 Dec 2006 @ 12:40pm

          Re: Re: Re: Can't Understand

          "But you must concede the VPN and Remote Desktop only work with decent high speed connections. In a large part of America this is not possible."
          I agree to a certain extent. They are worthless on my connection, and this would not be possible for a small company in a large part of America. For a large enough company, or anyone with enough money, however, there are ways of providing fast enough connections anywhere.

          link to this | view in chronology ]

          • identicon
            Dan, 13 Dec 2006 @ 2:39pm

            Re: Re: Re: Re: Can't Understand

            I don't agree about high speed connections or about VPN. First though, I think that Boeing (like most companies) doesn't take the privacy of its employees seriously enough, otherwise they'd seriously punish or fire any employee who intentionally exposes employee info outside of their internal network. The way you can tell that Boeing doesn't take it seriously is this: what would they do to an employee that leaked blueprints for their planes that way? What would they do to someone who exposed the source code to one of their flight control systems? See what I mean?

            The issue isn't that the thieves stole the laptop to get that data - they almost certainly did not. The thieves probably stole the laptop to sell it. Even if there are some insanely obscure methods of finding random fragments of cached data on the hard drive, the theives wouldn't be at all interested in it! They probably wouldn't even know what the laptop was ever used for so they wouldn't even know what to look for - all they want is to make a quick buck selling it. Using a VPN with RDP would all but guarantee security of the data.

            As for expense and availability of broadband connections - I have to disagree completely. I live in rural Montana - town with a population of maybe 2,000 people. We don't even have home mail delivery, we have to go into town to get our mail at a PO box. I've got a 1.5Mb DSL connection and prior to that I had a 512Kb wireless connection. VPN and SSH tunnels work fine over either of those. If those kinds of connections are availble in the middle of Montana then I'm pretty sure anyyone living within 50 miles of a Boeing office has access. Cost for me is about $79/month including fixed IP charges.

            link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Dec 2006 @ 2:40pm

          Re: Re: Re: Can't Understand

          "But you must concede the VPN and Remote Desktop only work with decent high speed connections. In a large part of America this is not possible."

          We aren't talking about Central American. We're talking about the United States. Check your sun dial. It's not 1990 anymore. Cell coverage, and with it "decent high speed connections," exist everywhere. Christ, they have cell network competition in Appalachia. Coal miner's daughters argue about which network is better!

          The software accessed largely determines the bandwidth needs, but a decent, secure VPN to Terminal server arrangement will work fine over a dialup. Better slow than stupid. Ask Carl Sagan.

          If these files are on the personal laptops, i don't see why it just wouldn't be easier to password protect the file.

          They don't hurt, but there is secure and there is SECURE. Boeing (a massive defense contractor) should be SECURE. My janky insurance company does better than this to cover a handful of SSN's. A proprietary password scheme is easy for a determined coder to break. A completely encrypted HDD is hard, and a passworded, encrypted file behind a well monitored VPN in a secure location is damned near impossible.

          link to this | view in chronology ]

    • identicon
      Beefcake the Understander, 13 Dec 2006 @ 11:39am

      Re: Can't Understand

      There is no valid reason for Boeing to allow this. They have the resources to maintain the data on-premise and grant at-home HR personnel remote access. Is it foolproof? No. Does it eliminate the "laptop stolen" aspect (which seems to be the prevailing cause in these cases)? Absolutely.

      I can't understand why sensitive information is allowed to leave the premises. You can bet if it were plans for a new product, there would be hell to pay. But it only affects employees personally, so they let HR convenience trump common sense.

      link to this | view in chronology ]

    • identicon
      Sam, 13 Dec 2006 @ 11:41am

      Re: Can't Understand

      Seems to me you can't understand a concept far more important than your "HR Department" and accounting. That concept is "Security". This is not about what's being stolen, who had it, or how much was stolen... it is about how reliable and secure a company's data is. It tells a LOT about a company and how it handles it's data infrastructure.

      Understand the concept of security with different technology such as Terminal Clients and data backup used today by many "serious" businesses.

      A business that takes security seriously and values their data is going to make sure their data is out of the reach of unauthorized people. They will make sure they monitor access of that data. They will make sure that data is constantly backed up. They will make sure at the same time that the authorized people have all available access from anywhere in the world - SECURELY!

      If all the data was in a laptop's hard drive, then it COULD have been because a major backup was saved on it. I suspect Boeing has a serious infrastructure, so I'm sure policy was broken by doing this.

      The person that had their laptop stolen is not only going to get fired, it will be sued for braking company policies.

      link to this | view in chronology ]

    • identicon
      Curiosume, 13 Dec 2006 @ 11:43am

      Re: Can't Understand

      Read the article again, they never said they can't understand why they would need access to employee information.....they asked why on earth someone from Boeing would need it local on a laptop.

      It seems to make more sense, for security reasons, that employee data should only reside on the servers and if anyone who is authorized needs that information they should connect securely to the server to retrieve it......and I can't understand why they don't implement something like that.

      link to this | view in chronology ]

    • identicon
      Frank LaClare, 13 Dec 2006 @ 11:51am

      Re: Can't Understand

      With a company the size of Boeing, this information should be maintained on a secure corporate server. I have been in accounting, and this information never resided on a local drive. If the work needs to be done from home, you use a secure VPN solution to remotely access the information from the corporate servers where the information is always up to date.

      This is insane, and a complete lack of security from a corporate perspective. The second issue I have in regards to using this "Accounting" excuse, is the accuracy of the information. Unless it was purely for historical research project, the information for tax purposes would only be as accurate as the last time they downloaded it from the central server. People get married, divorced, change dependents, etc. The corporate policies my company uses not only prevent downloading the information to a local drive for security, but also to ensure you are looking at the most accurate, recent data.

      link to this | view in chronology ]

    • identicon
      Jack Sombra, 13 Dec 2006 @ 11:52am

      Re: Can't Understand

      I presume you work in HR and not IT and don't know much about computers nor data protection?

      There is zero reason for anybody from a HR department of any reasonable sized company to take bulk data (of any type) like this outside the company, actually would go further to say there is zero reason for sensitive information like this to be even stored on workstations/laptops that never leave the premises.

      All such information should be held on the network/mainframe databases, which would have (one would hope) decent security in place and just as importantly backup process's.

      People working from home? Thats what VPN is for

      Sadly though, Boeing and your mindset is pretty common and will remain so until people start not only getting fired for stupity like this but actually start doing jail time/getting huge fines as well

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2006 @ 11:54am

      Re: Can't Understand

      Now if only there was a way to access this information REMOTELY. Some sort of interconnection between PCs, an "internet" if you will. Think of it as a series of tubes, that should help.

      Now imagine if you can the ability to access data that's *gasp* stored on a secure server! God, that'd be useful. Maybe someone should try to develop this technology.

      link to this | view in chronology ]

    • identicon
      Angryoaf, 13 Dec 2006 @ 12:57pm

      Re: Can't Understand

      I never respond to these buy I really have to say that the person who made the first reply to this thread is a complete moron. The point of this article has obviously gone way over your head.

      Obviously an HR or AP dept would require this information... Why would an HR or AP dept need to be run out of someone's car? Especially a company thats the size of Boeing?

      link to this | view in chronology ]

    • identicon
      No Excuses Not Even Working From Home, 13 Dec 2006 @ 1:01pm

      Re: Can't Understand

      I work from home regularly and I don't have a single bit of data on my laptop or home PC that could cause a leak. There is a wonderful thing called VPN which allows people to work from any net connection while having all the network resources they need. To carry around on a laptop sensitive info for over 300k people is absurd. There is no justifiable reason for it.

      link to this | view in chronology ]

    • identicon
      t2k, 13 Dec 2006 @ 1:47pm

      Re: Can't Understand

      "This information is necessary for the Accounting staff to pay employees, file taxes, etc. If you don't understand this, please attend a ACT 101 class.

      Now this information leaving company grounds. If you have ever worked for a small company (which Boeing is not, I understand that) that usefullness of HR and Accouting is high, but the ability to afford one full time, this usually isn't possible. Thus, these employees work only 1 or 2 days a week and yes sometimes from home. Oh my god, employees in the US work from home. If they are working from home, what information are the going to use to work?"


      Umm not be trying to outdo your pretentiousness - you're obviously the molst clueless but also most pretentious prick - but why don't you show up in a freakin' elementary school science/computer class to get a basic grasp on how the world works?

      Have you ever heard about - God forbid! - REMOTELY CONNECTING to your office? Especially when you are working with such sensitive data?

      PS: if you're clueless and decide to post idiotic posts then at least do it humble, pal.

      link to this | view in chronology ]

    • identicon
      satab, 13 Dec 2006 @ 2:53pm

      Re: Can't Understand

      it's not nessarry to carry this shit around

      link to this | view in chronology ]

  • identicon
    hey now, 13 Dec 2006 @ 11:25am

    Wait a sec.

    Hey maybe there is a valid reason for this. Like..they were... sending out W2's from home????

    link to this | view in chronology ]

  • identicon
    John, 13 Dec 2006 @ 11:32am

    It's call a modem!

    Any HR employee that needs to stay in touch with data on one employee let alone 300K outside of company property should be doing via a secure Internet link. If their mobile then invest in a cell modem! Don't give me the bull they must be able to look things up 24/7, if they can get the call requesting employee info then they can connect back to the company!

    link to this | view in chronology ]

  • identicon
    whargoul, 13 Dec 2006 @ 11:37am

    Agree with John (#3)

    We have the technology today where most people that work from home, or wherever, shouldn't have to take any of their data with them. With today's technology you can log into your companies network and view your office desktop just as if you were sitting there. It's not that expensive either. I do it all the time.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Dec 2006 @ 11:37am

    I can see a need for someone to have the information - or where there might be cache's or something on someone's computer.

    I CANNOT understand why there is NOT a law requiring this information to be ENCRYPTED.

    If this were healthcare information, these companies would be subject to massive fines under the HIPAA laws.

    Come to think of it, why aren't they being penalized has having compromised confidential health care information - my name, birthday, and social security number are all data that apply to a living being - myself. They're all required every time I go to a Doctor or Hospital. Why not charge them with a loss of healthcare information and be subject to a fine of $10,000 per incident (person) for 579,762 incidents or $5,797,620,000?

    link to this | view in chronology ]

  • identicon
    The infamous Joe, 13 Dec 2006 @ 11:39am

    HR != Moderately Tech Savvy??

    A simple encryption prgram would have at least made the information useless to the thieves.

    Since you can find them free, it seems that Carlo hit the nail on the head-- it's just apathy and laziness. So it's safe to say that I don't know why they had that information UNSECURED on that computer. YOu don't even have to know much to use some of my favorite ones, it's no harder (or perhaps easier) and using access or a spreadsheet.

    It should become very very painful, at the latest, the second time a company loses information on it's employees.

    You just know this has something to do with terrorists. *mutters*

    link to this | view in chronology ]

  • identicon
    The infamous Joe, 13 Dec 2006 @ 11:41am

    great minds...

    Ha, we all posted pretty much the same thing at once. Creepy.

    link to this | view in chronology ]

  • identicon
    Michael Long, 13 Dec 2006 @ 11:43am

    Felony

    A) Make the theft of such information a Federal felony offense.

    B) Make allowing the theft of such information also a Federal felony offense.

    link to this | view in chronology ]

  • identicon
    misanthropic humanist, 13 Dec 2006 @ 11:43am

    completely unprofessional behaviour

    Well, Unkowledgeable, I don't understand either. It sounds like whatever they teach you in ACT101 is complete bollocks to me.
    At the very least the data should be anonymised to simple employee codes. No accountant or HR officer needs to know the actual names and addresses of employees, in fact they do their job much better when they don't have to know the details of their colleagues. A company the size of Boeing should be encrypting it or else their IT staff are completely inept asshats.

    Also, you assume that working from home is achieved only by the use
    of a laptop and physically carrying sensitive data from one location to another. Even a someone skilled in the most basic IT will tell you that this is the dumb way to do it. You provide a secure server login through SSH/VPN to the data on the company machines and use the wonderous modern marvel of the intermerweb to access it.

    Allowing employees to take sensitive personal data off-site is bush league behaviour.

    The reason shit like this happens is probably because stuffed suits like HR wankers and accountants are given leave to make infosec decisions that they aren't qualified to.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2006 @ 11:47am

      Re: completely unprofessional behaviour

      [quote]Allowing employees to take sensitive personal data off-site is "bush league behaviour".[/quote]

      LMAOL!

      link to this | view in chronology ]

    • identicon
      Unknowledgeable Geek, 13 Dec 2006 @ 11:55am

      Re: completely unprofessional behaviour

      I can see how people get without the use of names, i mean i will just write this check out with the employee id number and assume it goes to the right place.

      I agree Boeing has no excuse, being the size they are.

      If you minimal amount of IT skills gives you the assumption that VPN is secure, i'll just sit on your network for a couple of days. And if you think there is no cached or temp copy on your HD when you do use VPN or RDP just give me your laptop once your done.

      Don't make me sound dumb and yourself smart if you don't know what you are talking about.

      The only way to solve this issue is through Encryption. VPN are secure right now, b/c there are other ways to steal data, once everyone is using VPN you think it will be secure ask Microsoft. See keep your modern marvel's to yourself and look at changing environments.

      And if my HR department didn't know my name, boy I would be a happy employee.

      link to this | view in chronology ]

      • identicon
        Steve Lambert, 13 Dec 2006 @ 12:09pm

        Re: Re: completely unprofessional behaviour

        wow Unknowledgeable Geek ... wtf are you talking about???

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Dec 2006 @ 12:09pm

        Re: Re: completely unprofessional behaviour

        The point is that a VPN/SSH solution at least *greatly* mitigates the risk. Is it 100% fool-proof? No. But it's a damn sight better than some idiot leaving a laptop with 300,000+ employee's personal information in their car. Encryption would *help*, but you didn't bother to mention it until now.

        Come on, admit it ... [1] your initial response was stupid, [2] trolling about and choosing to defend yourself against this particular response, well ... we'll wait to see what the general consensus is ...

        link to this | view in chronology ]

      • identicon
        Byron, 13 Dec 2006 @ 12:15pm

        Re: Re: completely unprofessional behaviour

        "If you minimal amount of IT skills gives you the assumption that VPN is secure, i'll just sit on your network for a couple of days. And if you think there is no cached or temp copy on your HD when you do use VPN or RDP just give me your laptop once your done."

        That's NOT the issue - the issue is Boeing has already had 4 laptops with personal data swiped, and never did diddly about THAT PARTICULAR PROBLEM at least 1...2...3 times before - duh! Forget the fact that VPN isn't one hundred percent invincible - ANY. PROCESS. OTHER. THAN. ALLOWING. PERSONNEL. TO. REMOVE. LAPTOPS. FROM. THE. OFFICE. WOULD. BE. MORE. SECURE!

        link to this | view in chronology ]

      • identicon
        Annoyed by Idiots, 13 Dec 2006 @ 12:21pm

        Re: Re: completely unprofessional behaviour

        Dear Unknowledgable,

        In a company as large as Boeing I can assure you there is no one sitting down, "writing out cheques". They put the data into the software and come payday they click "print cheques" and their hi-speed printer spits out thousands of cheques with the proper name, amount and address. Amazing, isn't it? Not to mention most of them probably get paid via direct deposit anyway which means all they do is enter the info and at midnight their bank makes the correct deposits. Hate to be the one to break it to you, but if you work for a company with more than 100 employees, unless your the guy who delivers the mail or you happen to spend an inordinate amount of time in the HR office - no one in the HR department knows your name.

        The fact of the matter is, in a company like Boeing there is no reason, at any time, for ANYONE to be carrying around that kind of info on their colleagues - past or present. There truly is NO EXCUSE. VPN may not be perfect, but I can think of over a half a million people who would love for them to at least tried. Think of it this way, if I put my valuables in a locked box in the bank and it gets broken into and my stuff is stolen... provided that the bank was using all the available security measures one would expect a bank to use.. I can't necessarily fault the bank. At least they tried. But if I leave my stuff in a deposit box in the bank, and they decide to leave the bank door wide open, the vault unlocked and my own personal box unlocked and sitting on a table ripe for the picking.. well then you've got gross negligence.

        link to this | view in chronology ]

        • identicon
          Unknowledgeable Geek, 13 Dec 2006 @ 12:28pm

          Re: Re: Re: completely unprofessional behaviour

          The fact that none of you think Boeing has a system in place for something like this is just a mind blowing.

          If this has happened 3 times before, are you gonna tell me someone in Boeings IT department didn't try and set something up, or are all of you to knowledgeable to be working for such a bad company?

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 13 Dec 2006 @ 12:32pm

            Re: Re: Re: Re: completely unprofessional behaviou

            "The fact that none of you think Boeing has a system in place for something like this is just a mind blowing."

            The fact that their "system" has failed three times before and they have yet to undertake some sort of corrective measure is just mind blowing.

            Think about it, if some employee was sneaking around with info they shouldn't have on their laptop and their laptop is stolen, given the fact that by default, their moral compass isn't that straight (otherwise they wouldn't have stolen the data in the first place) what do you think the chances are of them going up to their boss and going "uh hey, know that laptop that was stolen? Well it had a bunch of personal info on 300 000 employees on it.. just so you know".

            link to this | view in chronology ]

          • identicon
            Jack Sombra, 13 Dec 2006 @ 12:42pm

            Re: Re: Re: Re: completely unprofessional behaviou

            "The fact that none of you think Boeing has a system in place for something like this is just a mind blowing."
            You would be susprised what i have come across over the years.

            Seen stupidly like this in many companies and it's normally down to one simple reason, a politically powerless IT department (and it's normally the companys higher managements fault not the IT departments)

            If Boeing have such a system in place it seems there is a huge breakdown somewhere which is letting their HR department be a "law unto themselves" and get away with ignoreing the IT policys

            link to this | view in chronology ]

  • identicon
    Unknowledgeable Geek, 13 Dec 2006 @ 12:11pm

    Small companies

    I assume that all of you work for large companies, thus the idea that whatever works for a large company must work for a small company mentality.

    Security, I agree, is a very large concern, but to say everyone has the ability to use VPN or Remote Desktop is not only ignorant it is snobbish.

    And yes, these companies that can't afford full time HR and full time Accounting do download company data to their personal pc's to have the ability to work from home and save the company money.

    And yes, I do IT support for small companies. And no, none of my clients have had their data stolen.

    I setup VPN connections for my clients all the time, but there are some instances where this is not possible, so yes I have to find another way. So if you can inform me of another way to tell a client to get information from his server to his laptop when he is at home and there is no internet connection, i am all ears. Until then, I suggest you look elsewhere to blanket statement ideas. This is not a perfect world, so sometimes the best solutions are not applicable. And you are going to tell me that a company the size of Boeing doesn't have these policies in place and it still happened.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2006 @ 12:13pm

      Re: Small companies

      *ahem* ... BOEING.

      link to this | view in chronology ]

    • identicon
      Curiosume, 13 Dec 2006 @ 12:19pm

      Re: Small companies

      But who here, besides you, is talking about a small company? Let me help you with an answer there....no one.

      We're all talking about Boeing! I think they can spring for the necessary security.

      link to this | view in chronology ]

    • identicon
      You're Wrong., 13 Dec 2006 @ 12:28pm

      Re: Small companies

      I work for a company in which I am one of 8 employees. That's including the two bosses who co-founded the company.

      When I work from home, I access our company server securely through an encrypted connection. We have an employee that telecommutes from the opposite side of the country. All our files stay on the server located in the office. If you stole my laptop tomorrow, you wouldn't even know what kind of work it is I do, let alone any specific information related to my company.

      8 people. If we can do it. So can Boeing.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2006 @ 12:32pm

      Re: Small companies

      And yes, I do IT support for small companies...

      Maybe Boeing could use your help?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2006 @ 12:50pm

      Re: Small companies

      We haven't been talking about a small company, and even if we had they could use remote desktop...I know someone who uses that on his own without a company at all.

      link to this | view in chronology ]

  • identicon
    hoeppner, 13 Dec 2006 @ 12:12pm

    fool me once shame on you, fool me twice shame on me, fool me thrice.....

    (laptops being secure and all, data protection)

    link to this | view in chronology ]

  • identicon
    Reston, 13 Dec 2006 @ 12:14pm

    What's even more alarming...

    ...is the horrible, nearly unreadable grammar displayed by patrons of this website. No, I'm not a grammar nazi.

    link to this | view in chronology ]

  • identicon
    vmunster, 13 Dec 2006 @ 12:26pm

    We can go ahead and bash Boeing about how a company their size should have it together better, I think we can all agree on that....The more important question seems to be WHAT is the reason behind Boeing not making the necessary changes to improve their security?

    It seems to me that either nothing "bad" happened from the first 3 data losses, or Boeing is so behind on technology that they are unwilling to make changes to try to play catch up; it could just be too hard and they're scared to try to change. They could also be unaware of the latest technologies that could protect their data, but if that was the case, then not only are they cowards but they're stupid too...I mean c'mon! All it takes is looking up "Remote Laptop Security" on Wikipedia or something!

    Let's just hope all those airplane geeks start to get smart(er) and do something about their security this time around...instead of waiting to see if something "bad" will happen.

    link to this | view in chronology ]

  • identicon
    Jack Sombra, 13 Dec 2006 @ 12:26pm

    Oh come on

    Sure VPN (one of the most basic forms of this type of networking) is not 100% secure, but in comparision it is about 10000 times more secure that having the data sitting on some random pc in some random location.

    If more security is required there are other more expensive and secure solutions out there, or in a case like a company the size of boeing they could develop their own.

    Which keeps data more secure?

    Nice shiny laptop with 382000 records stored locally sitting in a car/train/average home or Nice shiny laptop with no data stored locally sitting in a car/train/average home?

    Sorry but to anyone with half a brain it is quite litterly a no brainer

    But then again, thinking about many people i have met that work in HR departments i could see how this would be a difficult question

    Your whole argument is akin to saying "there is no point in closeing and locking your front door and turning on your alarm as someone with knowledge and training could pick the lock and disable the alarm before it could off"

    link to this | view in chronology ]

  • identicon
    Closet Geek, 13 Dec 2006 @ 12:28pm

    Do we know?

    My question is.............How many times has this happened in other companies and no one knows about it?

    I agree, there sould be a stiff penility for this kind of information loss! Both for the company (for being stupid) and the criminal wanting to use it.

    Sounds like a nice class action law suit to me!

    link to this | view in chronology ]

  • identicon
    cb, 13 Dec 2006 @ 12:36pm

    part time

    A part time payroll person ? Works only 1 or 2 days a week ? From Home ? Get real !

    link to this | view in chronology ]

  • identicon
    Yossarian, 13 Dec 2006 @ 12:38pm

    Completely Ludicrous

    I'd imagine a company as large as Boeing could provide high speed internet to its off-site workers. Even in rural areas, a person can get satellite or ISDN service. Most people don't bother because of the expense, but with the corporation picking up the tab, it'd be feasible. Employees not having internet access is not a valid excuse for eschewing a VPN/SSH setup.

    Second, those laptops should have been locked down with the data encrypted. Anyone ever tried to crack a ThinkPad with a BIOS and a hard drive password? Good luck with that. Nevermind smart cards, fingerprint readers, or hell, a locked laptop case.

    At the risk of sounding facetious, this ain't rocket science. Even if they weren't smart enough to put very, very basic security rules into place after the first laptop disappeared, they should have before the next three f'ups.

    link to this | view in chronology ]

  • identicon
    Mike Hathaway, 13 Dec 2006 @ 12:39pm

    Fines

    There is a simple solution, a state law of federal. Whenever employee data is stolen companies are required to notify employees of the loss through a written letter with a check for $1,000 made out to said employee attached each time it happens. You don't need any laws ording companies to encrypt or protect data. They will come up with there own solutions pretty quickly.

    link to this | view in chronology ]

  • identicon
    IT Killa, 13 Dec 2006 @ 1:27pm

    When I work from home, I SSH to my network and RDP or Citrix to my "Virtual office machine". The only thing that is unsecured in my mac book Pro is Firefox, because I have a couple of unimportant passwords saved there. Of Course though, those passwords are protected by a "master password", PLUS! I'm using local and domain authentication and FileVolt which uses another master password to secure my home folder at 128-bit (advanced) encryption.

    This is a government entity with close to 1000 employees.

    Just imagine what a 4000+ money making establishment must do to secure their data.

    link to this | view in chronology ]

  • identicon
    Sanguine Dream, 13 Dec 2006 @ 1:35pm

    Some accountability would be nice...

    I'm willing to bet that all these (former) employees that had thier laptops stolen weren't shown any mercy so why is nothing be done to the company. Between this, the **AAs, and HP almost getting away with pretexting its no wonder people think big busness needs to go away.

    But no politicians are too buys trying to trick voters into thinking they are "protecting the children". I've said before and I'll say it now. They won't care until their own info is stolen and used or they think they can get a lot of votes out of it (i.e. it beomes the new "protect the ___").

    link to this | view in chronology ]

  • identicon
    sysadmn, 13 Dec 2006 @ 1:44pm

    Some companies learn

    I work for a corporation even larger than Boeing. In the last two months, we've received 3 emails restating company policy about data protection. Even better, since we're a multinational, even US personnel data will be protected at the (higher) level required by the EU. Best - every laptop in the business will have an encrypted hard drive (SAFEBOOT) by mid-2007. Sound like a long time, until you realize there are tens of thousands in our division alone.

    link to this | view in chronology ]

  • identicon
    Old Guy, 13 Dec 2006 @ 2:08pm

    Bottom Line

    Bottom line is this: If the information was a new airplane design, they would be all over it. There would be a huge
    amount of time and effort to secure the info. But since it was only people's personal information it just ain't that important

    link to this | view in chronology ]

  • identicon
    misanthropic humanist, 13 Dec 2006 @ 2:27pm

    spot on

    Actually, Old Guy, I think you've hit the nail. That's basically it. Those responsible for security of personal records simply do not it very seriously.

    link to this | view in chronology ]

    • identicon
      Celes, 14 Dec 2006 @ 11:54am

      Re: spot on

      A bank neglects to put 3 payroll deposits into the correct accounts. The bank thinks, "3 out of 1,000,000 is actually really good." The 3 people who didn't get their paychecks see things quite differently.

      A hotel housekeeper cleans 25 rooms in a day. She had to rush through one, but it looks okay. 1 out of 25 is fine. The lady whose 2-year-old just found a used condom behind the trash can has something else to say about that.

      Those responsible for maintaining the security of personal data SHOULD be concerned because each one of those mistakes is potentially quite costly to the person whose data is floating out there. But they aren't, because the ratio of leaks is small.

      link to this | view in chronology ]

  • identicon
    Aruvia, 13 Dec 2006 @ 2:47pm

    RE:Some companies learn

    sysadmin seems to be the only one who even has a clue the scale we're talking here...

    point in fact. Boeing does have Policies regarding security of personnel data

    No! Personnel info, proprietary, classified Data should not ever be on a laptop locally.

    yes there are encryption methods available for the rare exceptions.

    yes data can be accessed when needed via a secure connection.

    a project is in process to encrypt all HD's on all PC's laptop or otherwise

    It’s the sheer numbers involved that make this difficult to prevent

    it only takes one idiot not adhering to the policies and procedures to create this type of incident, of thousands of employees requiring access to this data odds are pretty high of coming across a few. Though at this point they haven’t announced weather or not the data was encrypted it makes little difference Boeing would still react the same as even encryption is not guaranteed proof against the data being accessed by someone with enough recourses at their disposal.

    link to this | view in chronology ]

  • identicon
    Pinus, 13 Dec 2006 @ 4:40pm

    RE: RE:Some companies learn by Aruvia

    I don't understand.

    You seem to be suggesting it's even worse than people though.

    Does everybody in Boeing have access to employee data - is this the sheer numbers of laptops making it difficult to secure the data?

    link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 13 Dec 2006 @ 5:54pm

    Old Guy has absolutely nailed it

    This has happened three times because it costs Boeing -- essentially -- nothing.

    It's cheaper for them to continue to permit this to happen than to fix it.

    It won't impact profits. Nobody will be indicted. If there's any kind
    of federal/state/local action it'll be wrist-slap and no more. If there's
    a civil action filed, they'll used their army of landsharks to drag it
    out for years while outspending the plaintiffs and eventually negotiating
    a settlement that enriches the plaintiff's attorneys but admits no wrongdoing and provides only token compensation to those affected.

    Whereas, as Old Guy has shrewdly observed, if this concerned
    some data that could make them a cool $220M, then this would
    be treated as an all-out push-the-big-red-button emergency,
    and every possible resource would be pressed into service.

    "Follow the money" as a no-longer-anonymous tipster once said.

    It's not about VPNs or encryption or anything else, it's all about
    cold hard cash in the pockets of Boeing executives.

    link to this | view in chronology ]

  • identicon
    |333173|3|_||3, 13 Dec 2006 @ 9:04pm

    Making it an offence to steal the private data would not have helped in this case, since chances are that the computer was stolen without the theif knowing or caring what ws on it, planning on formatting it and taking it round to the nearest cashies or everything-that-fell-off-the-back-of-a-lorry market. Discovering 30000 sets of bank details sounds like an added bonus to me.

    link to this | view in chronology ]

  • identicon
    Martin L, 13 Dec 2006 @ 9:08pm

    It's interesting that you-all assume the motive was theft of a laptop instead of the data. Maybe it's Total Information Awareness topping off their database.

    link to this | view in chronology ]

  • identicon
    Ferin, 14 Dec 2006 @ 8:56am

    It's obvious why it's happening

    There's a simple reason tis idiocy happens. People have been taking their work home with them for decades. Before computers were wide spread, they only took the case files they needed, a few personel, maybe a small division.

    Now people just take the whole directory home, so they can cross reference and work on whatever they need to. Instead of relaizing that you need to see records for another division and having to wait till you get back into the office, you can pull tem up easily.

    The result, of course, is that instead of your briefcase geting stolen and losing a three or four files, now your laptop gets stolen and you lose 300000 people's records.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Dec 2006 @ 11:46am

    i think we all agree that there are plenty of optoins for keeping employee data "secure" either by vpn, encryption, hiring full time office employees that don't take information home.

    what is distrubing is the lack of concern from boeing, or the gov't. now, if some VP or CEO of boeing, or a dear relative of some senator was involved in the "data leak" and financial records were "ruined" you can bet your arse that half a heartbeat later boeing woudl pay out the wazoo, fire the employee that lost the data, and instilled some training programs and whatnot.

    but it's like street ball: "no harm, no foul" so boeing has no reason to spend extra money to "fix" the problem, so why whould they? do you buy new breaks if you'rs are worn down 20%? i wouldn't. 40%? still i wouldn't...50% maybe i think about it. 25%, that's about wherne i'll start getting all concernicus

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Dec 2006 @ 12:25pm

    yeah, it's the 3 people from the bank, it's the lady's kid....if it wsa the bank's owner, the hotel's owner,...then you'd have a problem

    but those who make the decisions aren't affected, so why bother? right?

    it's the sad true reality of life...

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.