WCCO reports, and thanks to Jon P for the tip.

It’s reported that the data doesn’t appear to have been compromised. A major, major bullet dodged!

On that unencrypted device? 3,300,000 names, addresses, Social Security numbers, and other personal data on borrowers. Over three million college students breached, one single device, no real security.

Officials say it was “a simple, old-fashioned theft” and “not a hacker incident.” Of course that’s of almost no consolation.

The list continues to grow. And of course, had the device been encrypted with patent-pending and NIST FIPS Level 2 certified MyLaptopGPS strong encryption, or any other decent encryption, there would be no issue here.

The Queens Chronicle reports that the information also included administrative decisions, medical evidence, and internal agency documents, along with the names and SSNs.

The administration is offering three years of credit protection to all the victims.

The report found that, as we’ve always said as well, criminals target the low-hanging fruit. Far and away the preferred MO of data thieves is to move on to an easier target when resistance or decent defenses are encountered. That is not to say that certain high-value targets don’t still attract determined thieves, but rather that most of the time, a little bit of defense goes a long way.

On pages 26-27 of the report, we find that “omissions” were tied with “misconfigurations” as the leading cause of breach. And one of the most common “forms” of omission was failing to change the default password on a device/service/package, despite policies requiring it.

Actually, that also highlights the “policies are made to be broken” mantra, but here my focus is on the fact that we intend to at least plug the largest, most obvious holes, but often fail to do even that.

Businesses install a new router and leave the administration password as “admin” or “password” — or whatever the vendor shipped it with.

For an experiment, any script kiddie can probe IP addresses looking for signatures of known vendors. For example, many web servers list their package name and version in their response. I’d venture a guess that spending 20 minutes probing devices and trying to login with the known default username/password for that manufacturer’s device would turn up a successful hack. That’s just plain easy.

Don’t merely intend to change the default password. Actually change it. Have a process in place to verify and ensure that your staff did in fact follow the “change the password policy.” A large portion of the victims studied in the latest Verizon study were hit by such trivial attacks. Don’t make it so easy for the enemy.

Newsday.com reports on the theft of 2,246 Bernie Madoff victims’ PII thanks to an unsecured laptop computer belonging to AlixPartners LLP, the consulting firm that had been processing the victims’ claims. To be clear, then:

1. Victims lose their life savings (thankfully not in all cases) due to one of the most egregious cases of fraud by an individual in history.
2. Victims hope to receive some restitution, even minimally.
3. Firm chosen to assist by processing claims fails to protect PII on its own laptops.
4. Firm experiences the same thing 2.6 million others did last year: laptop theft.
5. Firm claims information was “password protected” (sound familiar?). That is, the data is wide open.
6. Firm delays two months before notifying the victim-victims.

Obviously it’s doubly sad that victims experienced double jeopardy. And it’s made worse by the fact that this story is just like almost every other one, including the response by AlixPartners that “the information was password protected” and “[they] have no reason to believe it has been compromised.”

I must admit that I did a double-take when I read the spokesman’s statement, however:

“The names, addresses, Social Security numbers and some Madoff account information on 2,246 investors was contained in a computer stolen from the car of an employee of AlixPartners Llp, the consulting firm that has been processing victims’ claims in the Ponzi scheme, a company spokesman, Tim Yost, said Tuesday.”

That’s right: his name is Yost. And no, we are not related, by anything more than a common appreciation for laptop theft and its consequences, which one of us learned the hard way.

It’s crucial to use an updated, current, industrial-grade firewall on your computer. Windows, for example, has one built in, but products from Symantec, McAfee, and others can also extend the functionality.

A firewall can be used to do a number of advanced things but the main idea is simple: it’s a shield. It’s a wall. It exists to prevent outside intruders (“fire”) from coming in. You might be amazed at how frequently remote attempts are made to hack into your PC over the Internet.

Even if your PC is behind a network firewall device (such as a corporate or home router), be careful, because laptop users are notorious for picking up and leaving that safe environment and forgetting that their computers are wide open when connected to the local Starbucks’ WiFi network.

Be sure to turn on and properly configure your operating system’s built-in firewall, so that it only allows inbound connections for services you need, and blocks all others. Or, get a commercial product to extend the security and functionality.

I talked to Ms. Brown (the reporter) yesterday, and she did a nice job concisely drawing out some issues.

Here’s one article, and here’s the companion article.

These are important issues, for certain.

Given the recent Heartland Payment Systems, Inc. breach, such activity is likely to rise significantly. Consumers and businesses alike should be aware, and take action. Credit monitoring services can be very useful and effective. Preventing the theft of credit card information in the first place is a high priority, and hopefully businesses are listening.

An article in the Telegraph details that the laptop “contained pictures of her family and friends as well as snaps taken on her recent travels.” A source added, “The photographs are of a sensitive nature, so she can’t just take them along to her local shop to be printed,” which is why the laptop was left at the Black Cat studio.

Police believe that the laptop might have been password protected, but they are unsure. And experts agree that regardless of the level of encryption or password protection, if the thief intentionally stole the Duchess’ laptop with intent to use the information therein, somehow the photographs will surface. However, police are hopeful that this was merely a theft of opportunity, and the laptop will merely be wiped clean and resold on the black market.

Unfortunately, that means the Duchess won’t be getting the pictures of her two daughters and ex-husband Prince Andrew.

Honestly, you would think the royals would have a certain level of security on their laptops. Had the Duchess utilized technology like MyLaptopGPS, she could have started scrapbooking already.

According to an article in the Union Leader, personal information from thousands of New Hampshire and Massachusetts residents has been compromised, located on a stolen data backup tape at the Bill Dube Ford/Toyota dealership in Dover, NH.

Although the missing data was discovered in early August, affected customers were notified in a letter dated December 5, 2008. The data included names, addresses, Social Security numbers and driver’s license information. Attorney for Bill Dube, Scott Silverman, assures that despite the other information stolen, credit card numbers and financial data were not stored on the tape.

Which is a real relief, if you’re only concerned about your credit cards.

You’re identity, though, might be in serious jeopardy. Thank you, Mr. Silverman, for clearing that one up for us.

Dover Police Lt. David Terlemezian said, “The investigation is active; we haven’t developed evidence against any particular person at this point. Exactly what happened and how it happened isn’t entirely clear.” Thankfully, he also assured that so far none of the information on the tape has been used to steal anyone’s identity.

Silverman reassures, “The dealership executives feel very strongly that whoever did this, the intent was to give them a hard time.”

Well, now that we’ve got all the formalities out of the way, why don’t we assess the situation? A single tape was stolen from the dealership. It was located in a secure storage room that few people even knew about. The tape contained Social Security numbers, addresses, and drivers license numbers. Now, what kind of thief steal a single item, like a backup tape, from a secret storage room, without knowledge that the tape might contain sensitive data? Surely just one who is trying to give Bill Dube and his associates the run-around.

Let’s be a little more realistic, guys. There is sensitive data out there, waiting to be accessed, and thousands of identities could be compromised. This hardly strikes me as a theft of opportunity.