Once, Twice, Three Times A Loser... Wait, Make That Four
from the when-you're-in-a-hole-stop-digging dept
Last November, we wondered exactly why a Boeing employee was carrying around a laptop containing the names, birth dates, Social Security numbers and bank account info of 161,000 thousand current and former employees. That laptop was, of course, stolen. That breach didn't seem to teach the company anything, as five months later, another laptop was stolen, though it had info on "only" 3,600 workers. Another one was stolen from an employee's home last month, containing info on 762 people. But, in a remarkable show ofThank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Can't Understand
This information is necessary for the Accounting staff to pay employees, file taxes, etc. If you don't understand this, please attend a ACT 101 class.
Now this information leaving company grounds. If you have ever worked for a small company (which Boeing is not, I understand that) that usefullness of HR and Accouting is high, but the ability to afford one full time, this usually isn't possible. Thus, these employees work only 1 or 2 days a week and yes sometimes from home. Oh my god, employees in the US work from home. If they are working from home, what information are the going to use to work?
Now, to say that that sucks when a laptop gets stolen, this is true. To say it sucks more when the laptop has ID info on it, i can agree with that as well. But to say you don't understand why people would have that info on their computers, i don't agree.
[ link to this | view in thread ]
Wait a sec.
[ link to this | view in thread ]
It's call a modem!
[ link to this | view in thread ]
Re: Can't Understand
[ link to this | view in thread ]
Agree with John (#3)
[ link to this | view in thread ]
I CANNOT understand why there is NOT a law requiring this information to be ENCRYPTED.
If this were healthcare information, these companies would be subject to massive fines under the HIPAA laws.
Come to think of it, why aren't they being penalized has having compromised confidential health care information - my name, birthday, and social security number are all data that apply to a living being - myself. They're all required every time I go to a Doctor or Hospital. Why not charge them with a loss of healthcare information and be subject to a fine of $10,000 per incident (person) for 579,762 incidents or $5,797,620,000?
[ link to this | view in thread ]
Re: Can't Understand
I can't understand why sensitive information is allowed to leave the premises. You can bet if it were plans for a new product, there would be hell to pay. But it only affects employees personally, so they let HR convenience trump common sense.
[ link to this | view in thread ]
HR != Moderately Tech Savvy??
Since you can find them free, it seems that Carlo hit the nail on the head-- it's just apathy and laziness. So it's safe to say that I don't know why they had that information UNSECURED on that computer. YOu don't even have to know much to use some of my favorite ones, it's no harder (or perhaps easier) and using access or a spreadsheet.
It should become very very painful, at the latest, the second time a company loses information on it's employees.
You just know this has something to do with terrorists. *mutters*
[ link to this | view in thread ]
Re: Re: Can't Understand
How many programs out there can gather information from a VPN connection, too many to count. So yes, VPN would be more secure, but still not fool proof.
I will give you VPN and remote desktop.
But you must concede the VPN and Remote Desktop only work with decent high speed connections. In a large part of America this is not possible.
If these files are on the personal laptops, i don't see why it just wouldn't be easier to password protect the file. Which might be the case anyway, but who knows facts.
[ link to this | view in thread ]
great minds...
[ link to this | view in thread ]
Re: Can't Understand
Understand the concept of security with different technology such as Terminal Clients and data backup used today by many "serious" businesses.
A business that takes security seriously and values their data is going to make sure their data is out of the reach of unauthorized people. They will make sure they monitor access of that data. They will make sure that data is constantly backed up. They will make sure at the same time that the authorized people have all available access from anywhere in the world - SECURELY!
If all the data was in a laptop's hard drive, then it COULD have been because a major backup was saved on it. I suspect Boeing has a serious infrastructure, so I'm sure policy was broken by doing this.
The person that had their laptop stolen is not only going to get fired, it will be sued for braking company policies.
[ link to this | view in thread ]
Felony
B) Make allowing the theft of such information also a Federal felony offense.
[ link to this | view in thread ]
Re: Can't Understand
It seems to make more sense, for security reasons, that employee data should only reside on the servers and if anyone who is authorized needs that information they should connect securely to the server to retrieve it......and I can't understand why they don't implement something like that.
[ link to this | view in thread ]
completely unprofessional behaviour
At the very least the data should be anonymised to simple employee codes. No accountant or HR officer needs to know the actual names and addresses of employees, in fact they do their job much better when they don't have to know the details of their colleagues. A company the size of Boeing should be encrypting it or else their IT staff are completely inept asshats.
Also, you assume that working from home is achieved only by the use
of a laptop and physically carrying sensitive data from one location to another. Even a someone skilled in the most basic IT will tell you that this is the dumb way to do it. You provide a secure server login through SSH/VPN to the data on the company machines and use the wonderous modern marvel of the intermerweb to access it.
Allowing employees to take sensitive personal data off-site is bush league behaviour.
The reason shit like this happens is probably because stuffed suits like HR wankers and accountants are given leave to make infosec decisions that they aren't qualified to.
[ link to this | view in thread ]
Re: completely unprofessional behaviour
LMAOL!
[ link to this | view in thread ]
Re: Can't Understand
This is insane, and a complete lack of security from a corporate perspective. The second issue I have in regards to using this "Accounting" excuse, is the accuracy of the information. Unless it was purely for historical research project, the information for tax purposes would only be as accurate as the last time they downloaded it from the central server. People get married, divorced, change dependents, etc. The corporate policies my company uses not only prevent downloading the information to a local drive for security, but also to ensure you are looking at the most accurate, recent data.
[ link to this | view in thread ]
Re: Can't Understand
There is zero reason for anybody from a HR department of any reasonable sized company to take bulk data (of any type) like this outside the company, actually would go further to say there is zero reason for sensitive information like this to be even stored on workstations/laptops that never leave the premises.
All such information should be held on the network/mainframe databases, which would have (one would hope) decent security in place and just as importantly backup process's.
People working from home? Thats what VPN is for
Sadly though, Boeing and your mindset is pretty common and will remain so until people start not only getting fired for stupity like this but actually start doing jail time/getting huge fines as well
[ link to this | view in thread ]
Re: Can't Understand
Now imagine if you can the ability to access data that's *gasp* stored on a secure server! God, that'd be useful. Maybe someone should try to develop this technology.
[ link to this | view in thread ]
Re: completely unprofessional behaviour
I agree Boeing has no excuse, being the size they are.
If you minimal amount of IT skills gives you the assumption that VPN is secure, i'll just sit on your network for a couple of days. And if you think there is no cached or temp copy on your HD when you do use VPN or RDP just give me your laptop once your done.
Don't make me sound dumb and yourself smart if you don't know what you are talking about.
The only way to solve this issue is through Encryption. VPN are secure right now, b/c there are other ways to steal data, once everyone is using VPN you think it will be secure ask Microsoft. See keep your modern marvel's to yourself and look at changing environments.
And if my HR department didn't know my name, boy I would be a happy employee.
[ link to this | view in thread ]
Re: Re: completely unprofessional behaviour
[ link to this | view in thread ]
Re: Re: completely unprofessional behaviour
Come on, admit it ... [1] your initial response was stupid, [2] trolling about and choosing to defend yourself against this particular response, well ... we'll wait to see what the general consensus is ...
[ link to this | view in thread ]
Small companies
Security, I agree, is a very large concern, but to say everyone has the ability to use VPN or Remote Desktop is not only ignorant it is snobbish.
And yes, these companies that can't afford full time HR and full time Accounting do download company data to their personal pc's to have the ability to work from home and save the company money.
And yes, I do IT support for small companies. And no, none of my clients have had their data stolen.
I setup VPN connections for my clients all the time, but there are some instances where this is not possible, so yes I have to find another way. So if you can inform me of another way to tell a client to get information from his server to his laptop when he is at home and there is no internet connection, i am all ears. Until then, I suggest you look elsewhere to blanket statement ideas. This is not a perfect world, so sometimes the best solutions are not applicable. And you are going to tell me that a company the size of Boeing doesn't have these policies in place and it still happened.
[ link to this | view in thread ]
(laptops being secure and all, data protection)
[ link to this | view in thread ]
Re: Small companies
[ link to this | view in thread ]
What's even more alarming...
[ link to this | view in thread ]
Re: Re: completely unprofessional behaviour
That's NOT the issue - the issue is Boeing has already had 4 laptops with personal data swiped, and never did diddly about THAT PARTICULAR PROBLEM at least 1...2...3 times before - duh! Forget the fact that VPN isn't one hundred percent invincible - ANY. PROCESS. OTHER. THAN. ALLOWING. PERSONNEL. TO. REMOVE. LAPTOPS. FROM. THE. OFFICE. WOULD. BE. MORE. SECURE!
[ link to this | view in thread ]
Re: Small companies
We're all talking about Boeing! I think they can spring for the necessary security.
[ link to this | view in thread ]
Re: Re: completely unprofessional behaviour
In a company as large as Boeing I can assure you there is no one sitting down, "writing out cheques". They put the data into the software and come payday they click "print cheques" and their hi-speed printer spits out thousands of cheques with the proper name, amount and address. Amazing, isn't it? Not to mention most of them probably get paid via direct deposit anyway which means all they do is enter the info and at midnight their bank makes the correct deposits. Hate to be the one to break it to you, but if you work for a company with more than 100 employees, unless your the guy who delivers the mail or you happen to spend an inordinate amount of time in the HR office - no one in the HR department knows your name.
The fact of the matter is, in a company like Boeing there is no reason, at any time, for ANYONE to be carrying around that kind of info on their colleagues - past or present. There truly is NO EXCUSE. VPN may not be perfect, but I can think of over a half a million people who would love for them to at least tried. Think of it this way, if I put my valuables in a locked box in the bank and it gets broken into and my stuff is stolen... provided that the bank was using all the available security measures one would expect a bank to use.. I can't necessarily fault the bank. At least they tried. But if I leave my stuff in a deposit box in the bank, and they decide to leave the bank door wide open, the vault unlocked and my own personal box unlocked and sitting on a table ripe for the picking.. well then you've got gross negligence.
[ link to this | view in thread ]
It seems to me that either nothing "bad" happened from the first 3 data losses, or Boeing is so behind on technology that they are unwilling to make changes to try to play catch up; it could just be too hard and they're scared to try to change. They could also be unaware of the latest technologies that could protect their data, but if that was the case, then not only are they cowards but they're stupid too...I mean c'mon! All it takes is looking up "Remote Laptop Security" on Wikipedia or something!
Let's just hope all those airplane geeks start to get smart(er) and do something about their security this time around...instead of waiting to see if something "bad" will happen.
[ link to this | view in thread ]
Oh come on
If more security is required there are other more expensive and secure solutions out there, or in a case like a company the size of boeing they could develop their own.
Which keeps data more secure?
Nice shiny laptop with 382000 records stored locally sitting in a car/train/average home or Nice shiny laptop with no data stored locally sitting in a car/train/average home?
Sorry but to anyone with half a brain it is quite litterly a no brainer
But then again, thinking about many people i have met that work in HR departments i could see how this would be a difficult question
Your whole argument is akin to saying "there is no point in closeing and locking your front door and turning on your alarm as someone with knowledge and training could pick the lock and disable the alarm before it could off"
[ link to this | view in thread ]
Re: Re: Re: completely unprofessional behaviour
If this has happened 3 times before, are you gonna tell me someone in Boeings IT department didn't try and set something up, or are all of you to knowledgeable to be working for such a bad company?
[ link to this | view in thread ]
Re: Small companies
When I work from home, I access our company server securely through an encrypted connection. We have an employee that telecommutes from the opposite side of the country. All our files stay on the server located in the office. If you stole my laptop tomorrow, you wouldn't even know what kind of work it is I do, let alone any specific information related to my company.
8 people. If we can do it. So can Boeing.
[ link to this | view in thread ]
Do we know?
I agree, there sould be a stiff penility for this kind of information loss! Both for the company (for being stupid) and the criminal wanting to use it.
Sounds like a nice class action law suit to me!
[ link to this | view in thread ]
Re: Re: Re: Re: completely unprofessional behaviou
The fact that their "system" has failed three times before and they have yet to undertake some sort of corrective measure is just mind blowing.
Think about it, if some employee was sneaking around with info they shouldn't have on their laptop and their laptop is stolen, given the fact that by default, their moral compass isn't that straight (otherwise they wouldn't have stolen the data in the first place) what do you think the chances are of them going up to their boss and going "uh hey, know that laptop that was stolen? Well it had a bunch of personal info on 300 000 employees on it.. just so you know".
[ link to this | view in thread ]
Re: Small companies
Maybe Boeing could use your help?
[ link to this | view in thread ]
part time
[ link to this | view in thread ]
Completely Ludicrous
Second, those laptops should have been locked down with the data encrypted. Anyone ever tried to crack a ThinkPad with a BIOS and a hard drive password? Good luck with that. Nevermind smart cards, fingerprint readers, or hell, a locked laptop case.
At the risk of sounding facetious, this ain't rocket science. Even if they weren't smart enough to put very, very basic security rules into place after the first laptop disappeared, they should have before the next three f'ups.
[ link to this | view in thread ]
Fines
[ link to this | view in thread ]
Re: Re: Re: Can't Understand
I agree to a certain extent. They are worthless on my connection, and this would not be possible for a small company in a large part of America. For a large enough company, or anyone with enough money, however, there are ways of providing fast enough connections anywhere.
[ link to this | view in thread ]
Re: Re: Re: Re: completely unprofessional behaviou
You would be susprised what i have come across over the years.
Seen stupidly like this in many companies and it's normally down to one simple reason, a politically powerless IT department (and it's normally the companys higher managements fault not the IT departments)
If Boeing have such a system in place it seems there is a huge breakdown somewhere which is letting their HR department be a "law unto themselves" and get away with ignoreing the IT policys
[ link to this | view in thread ]
Re: Small companies
[ link to this | view in thread ]
Re: Can't Understand
Obviously an HR or AP dept would require this information... Why would an HR or AP dept need to be run out of someone's car? Especially a company thats the size of Boeing?
[ link to this | view in thread ]
Re: Can't Understand
[ link to this | view in thread ]
This is a government entity with close to 1000 employees.
Just imagine what a 4000+ money making establishment must do to secure their data.
[ link to this | view in thread ]
Some accountability would be nice...
But no politicians are too buys trying to trick voters into thinking they are "protecting the children". I've said before and I'll say it now. They won't care until their own info is stolen and used or they think they can get a lot of votes out of it (i.e. it beomes the new "protect the ___").
[ link to this | view in thread ]
Some companies learn
[ link to this | view in thread ]
Re: Can't Understand
Now this information leaving company grounds. If you have ever worked for a small company (which Boeing is not, I understand that) that usefullness of HR and Accouting is high, but the ability to afford one full time, this usually isn't possible. Thus, these employees work only 1 or 2 days a week and yes sometimes from home. Oh my god, employees in the US work from home. If they are working from home, what information are the going to use to work?"
Umm not be trying to outdo your pretentiousness - you're obviously the molst clueless but also most pretentious prick - but why don't you show up in a freakin' elementary school science/computer class to get a basic grasp on how the world works?
Have you ever heard about - God forbid! - REMOTELY CONNECTING to your office? Especially when you are working with such sensitive data?
PS: if you're clueless and decide to post idiotic posts then at least do it humble, pal.
[ link to this | view in thread ]
Bottom Line
amount of time and effort to secure the info. But since it was only people's personal information it just ain't that important
[ link to this | view in thread ]
spot on
[ link to this | view in thread ]
Re: Re: Re: Re: Can't Understand
The issue isn't that the thieves stole the laptop to get that data - they almost certainly did not. The thieves probably stole the laptop to sell it. Even if there are some insanely obscure methods of finding random fragments of cached data on the hard drive, the theives wouldn't be at all interested in it! They probably wouldn't even know what the laptop was ever used for so they wouldn't even know what to look for - all they want is to make a quick buck selling it. Using a VPN with RDP would all but guarantee security of the data.
As for expense and availability of broadband connections - I have to disagree completely. I live in rural Montana - town with a population of maybe 2,000 people. We don't even have home mail delivery, we have to go into town to get our mail at a PO box. I've got a 1.5Mb DSL connection and prior to that I had a 512Kb wireless connection. VPN and SSH tunnels work fine over either of those. If those kinds of connections are availble in the middle of Montana then I'm pretty sure anyyone living within 50 miles of a Boeing office has access. Cost for me is about $79/month including fixed IP charges.
[ link to this | view in thread ]
Re: Re: Re: Can't Understand
We aren't talking about Central American. We're talking about the United States. Check your sun dial. It's not 1990 anymore. Cell coverage, and with it "decent high speed connections," exist everywhere. Christ, they have cell network competition in Appalachia. Coal miner's daughters argue about which network is better!
The software accessed largely determines the bandwidth needs, but a decent, secure VPN to Terminal server arrangement will work fine over a dialup. Better slow than stupid. Ask Carl Sagan.
If these files are on the personal laptops, i don't see why it just wouldn't be easier to password protect the file.
They don't hurt, but there is secure and there is SECURE. Boeing (a massive defense contractor) should be SECURE. My janky insurance company does better than this to cover a handful of SSN's. A proprietary password scheme is easy for a determined coder to break. A completely encrypted HDD is hard, and a passworded, encrypted file behind a well monitored VPN in a secure location is damned near impossible.
[ link to this | view in thread ]
RE:Some companies learn
point in fact. Boeing does have Policies regarding security of personnel data
No! Personnel info, proprietary, classified Data should not ever be on a laptop locally.
yes there are encryption methods available for the rare exceptions.
yes data can be accessed when needed via a secure connection.
a project is in process to encrypt all HD's on all PC's laptop or otherwise
It’s the sheer numbers involved that make this difficult to prevent
it only takes one idiot not adhering to the policies and procedures to create this type of incident, of thousands of employees requiring access to this data odds are pretty high of coming across a few. Though at this point they haven’t announced weather or not the data was encrypted it makes little difference Boeing would still react the same as even encryption is not guaranteed proof against the data being accessed by someone with enough recourses at their disposal.
[ link to this | view in thread ]
Re: Can't Understand
[ link to this | view in thread ]
RE: RE:Some companies learn by Aruvia
You seem to be suggesting it's even worse than people though.
Does everybody in Boeing have access to employee data - is this the sheer numbers of laptops making it difficult to secure the data?
[ link to this | view in thread ]
Old Guy has absolutely nailed it
It's cheaper for them to continue to permit this to happen than to fix it.
It won't impact profits. Nobody will be indicted. If there's any kind
of federal/state/local action it'll be wrist-slap and no more. If there's
a civil action filed, they'll used their army of landsharks to drag it
out for years while outspending the plaintiffs and eventually negotiating
a settlement that enriches the plaintiff's attorneys but admits no wrongdoing and provides only token compensation to those affected.
Whereas, as Old Guy has shrewdly observed, if this concerned
some data that could make them a cool $220M, then this would
be treated as an all-out push-the-big-red-button emergency,
and every possible resource would be pressed into service.
"Follow the money" as a no-longer-anonymous tipster once said.
It's not about VPNs or encryption or anything else, it's all about
cold hard cash in the pockets of Boeing executives.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
It's obvious why it's happening
Now people just take the whole directory home, so they can cross reference and work on whatever they need to. Instead of relaizing that you need to see records for another division and having to wait till you get back into the office, you can pull tem up easily.
The result, of course, is that instead of your briefcase geting stolen and losing a three or four files, now your laptop gets stolen and you lose 300000 people's records.
[ link to this | view in thread ]
what is distrubing is the lack of concern from boeing, or the gov't. now, if some VP or CEO of boeing, or a dear relative of some senator was involved in the "data leak" and financial records were "ruined" you can bet your arse that half a heartbeat later boeing woudl pay out the wazoo, fire the employee that lost the data, and instilled some training programs and whatnot.
but it's like street ball: "no harm, no foul" so boeing has no reason to spend extra money to "fix" the problem, so why whould they? do you buy new breaks if you'rs are worn down 20%? i wouldn't. 40%? still i wouldn't...50% maybe i think about it. 25%, that's about wherne i'll start getting all concernicus
[ link to this | view in thread ]
Re: spot on
A hotel housekeeper cleans 25 rooms in a day. She had to rush through one, but it looks okay. 1 out of 25 is fine. The lady whose 2-year-old just found a used condom behind the trash can has something else to say about that.
Those responsible for maintaining the security of personal data SHOULD be concerned because each one of those mistakes is potentially quite costly to the person whose data is floating out there. But they aren't, because the ratio of leaks is small.
[ link to this | view in thread ]
but those who make the decisions aren't affected, so why bother? right?
it's the sad true reality of life...
[ link to this | view in thread ]