Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on November 28, 2006 6:20 PM.

The previous post in this blog was EU urges members to take action against spam... but will it work?.

The next post in this blog is Why strong authentication alone isn't enough.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« EU urges members to take action against spam... but will it work? | Main | Why strong authentication alone isn't enough »

Scotland Yard victim of identity theft

Richard Steinnon, a well known former Gartner Analyst, sent out an email the other day with interesting stories about laptop threats. One of the stories was about Scotland Yard.

The story in ThisisLondon.co.uk titled "Laptop thief lands the bank details of 15,000 policemen" describes how personal identity information on 15,000 Scotland Yard officers was obtained in the theft of three laptops. The identity information includes their national insurance numbers.

What was more interesting than the titillating aspect of Scotland Yard's finest having their identities stolen, was the fact that the information was contained on three laptops AND that those laptops were owned by the company LogicaCMG. This is a company that together with Paymaster has been awarded a seven year contract to administer the payroll and pension for the Metropolitan's (Met) 46,000 staff.

My point in this blog is that security is only as good as the weakest link. While enterprises may take extraordinary efforts internally to secure themselves, this will be undone if they have other parties who have weaker security systems.

In this case, the onus is on the Met to specify security standards for the sensitive data. Then it should have ensured that the data was encrypted. Further, they should also have specified that the database could not be kept on a laptop. Assuming that they did this, they should be doing regular audits to ensure the contract and security conditions are being met.

READERS TAKE NOTE. You need to do a risk assessment on all enterprise information and data. Then follow the hands in whom the data is administered by or accessed by. If you find that sensitive data is being administered or accessed by outside parties, then put in place contractual requirements, accompanied by strong security, with regular audits, to ensure the information is being kept secure. Otherwise, you too may be like Scotland Yard with egg on its face and your identity information potentially in the hands of criminals.

Guy
www.authenticationworld.com
guy.huntington@authenticaitonworld.com

Posted by Guy Huntington on November 28, 2006 6:20 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/56

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)