A Fiver Buys Access & Log-In Codes To Major Financial Services Group
The current access codes and admin rights to the secure Intranet of one of Europe’s largest financial services group was purchased on a hard drive over e-bay for just five pounds as part of research into the “lifecycle of a lost laptop” by Pointsec Mobile Technologies. It was the first of 100 drives and laptops purchased as spare and used parts over Internet auction sites and other public auctions as part of research carried out by Pointsec who are mobile security specialists, to find out how easy it is for 21st Century robbers, opportunists and perpetrators to access highly sensitive and valuable company information from lost laptops and hard-drives.
Pointsec found that they were able to read 7 out of 10 hard-drives bought over the Internet at auctions such as e-bay, for less than the cost of a McDonald’s meal, all of which had “supposedly” been “wiped-clean” or “re-formatted”.
The hard-drive purchased by Pointsec over e-bay contained highly sensitive information from one of Europe’s largest financial services groups with pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site. There were 77 Microsoft Excel documents of customers email addresses, dates of birth, their home addresses, telephone numbers and other highly confidential information, which if exposed publicly could cause irrevocable damage to the company, result in a massive loss in customer confidence, the share price to plummet, as well as serious legal ramifications as the company is in breach of the Data Protection Act.
Pointsec also wanted to find out how easy it is to purchase and access information on laptops which are lost in transit such as at Gatwick or Heathrow airports, on the Eurostar or handed into the Police. In all cases they found the laptops and all the information residing on them, were put up for auction if they were not reclaimed after three months.
Pointsec visited one of the auctions used by Gatwick airport, near Chertsey and found that before even purchasing the laptops, the researchers were able to start up the laptops to inspect whether they worked. Using password recovery software they were able to access the information on one in three of these laptops. This exercise was repeated in Sweden, the US and Germany.
In Sweden the first laptop Pointsec purchased at auction, contained sensitive information from a large food manufacturer. When the hard disc was analysed they found 4 Microsoft Access databases containing company and customer related information, 15 Microsoft PowerPoint presentations containing highly sensitive company information and 1512 JPG pictures of both a company and private nature.
Peter Larsson, CEO of Pointsec Mobile Technologies said “Our research has found just how easy it is to purchase second-hand or lost laptops at public auctions as well as hard-drives over the Internet and easily access the information on them. Even when companies or individuals believe they have wiped the hard drive clean, it is blatantly clear how easy it is to retrieve sensitive information from them both during their current lifetime and beyond it. These findings reinforce how important it is to never let laptops or mobile devices leave the office without being adequately protected with encryption and strong password protection.”
Tony Neate Tactical & Technical Industry Liaison at the UK National Hi-Tech Crime Unit said: “Pointsec’s research demonstrates just how easy it is to access information which is not adequately protected. Encryption and other security measures are vital to ensure that security is not compromised – something as simple as a hard disk drive password can deter the opportunist.”
Larsson continued “There are dozens of websites which offer password cracking software or recoverable software which criminals, hackers and opportunists use when they want to break into laptops or websites. We have had many companies contact us who have had experience of criminals who have used cracking software to get at information which they’ve obtained from stolen or lost laptops and have tried to blackmail them not to go public with this information. For those who are thinking about making a career out of purchasing hard-drives for as little as £5 and using the information they find to bribe or blackmail companies, take heed – you could be facing a very long stretch at her majesty’s pleasure.”
If you want to ensure your information stays secure whilst on the move Pointsec Mobile Technologies suggests you follow these few simple steps.
1. Take the responsibility of IT security away from all mobile workers, deploy security on all mobile devices and centrally manage it.
2. Make access control and encryption mandatory.
3. Administer a mobile use policy, which sets up company guidelines on securing mobile devices and educate the staff in this policy.
4. Use hard disk encryption – this protects the information during the laptops life and beyond its active service.
Pointsec Mobile Technologies AB is a wholly owned subsidiary of Protect Data AB. The company develops and markets access-controlling and encrypting systems for stationary and portable computers, palmtop computers, smartphones, PDAs, etc. Pointsec Mobile Technologies has offices in San Francisco, Chicago and Washington DC in the USA, Cambridge in the United Kingdom, D??sseldorf in Germany and Stockholm, Falun and Sundsvall in Sweden. Visit our web site at: www.pointsec.com.
The Protect Data Group offers tailor-made IT security solutions to large companies and organizations. The company focuses on four business areas: digital identities and resource security, network security, anti-virus and content security, and consultancy services for information security. Within these areas, the company offers comprehensive IT security solutions based on aspects such as access control and encryption systems, anti-virus systems, digital sentry services, firewalls, user identification and content control, secure VPN and PKI solutions, digital signatures and systems for secure transactions. Protect Data is the market leader in its business area in the Nordic region and has subsidiaries in Sweden, Norway, Finland, Denmark, Germany, the United Kingdom and the USA. Protect Data is listed on the Stockholm Stock Exchange. Visit our web site at: www.protectdata.com.