Attn all researchers: How about we just not take work laptops home from work.

Posted by ERV on April 21, 2011
(32)
More »

Are you kidding me?

Are you freaking kidding me??

Remember several months ago, the story about the PIs leaving their laptop in their car while they ate some Panera? And while they were NOMing someone broke into their car, stealing the laptop, and all their un-backed-up data?

And we are all like “OMFGWTF?”

“Who the hell leaves a laptop with that kind of information on it in their god damned car?? Who doesnt back up their data?? WAT??? … Oh well, costly reminder for the rest of us.”

YOU WILL NOT BELIEVE THIS.

Okla. health department laptop stolen

Nearly 133,000 people may have had personal information compromised after a laptop belonging to the Oklahoma State Health Department was stolen from an employee’s car on April 6.

Stolen data may include names, birthdates, mailing addresses, Social Security numbers, medical records information, laboratory results or other data, according to the state agency.

*passesoutfromdisbelief*

Keywords: ,
(32)
More »

Comments

  1. #1 Dan Gaston
    April 21, 2011

    For most researchers I know their work laptop is also their personal laptop so “not taking it home” makes zero sense. When it comes to government agencies you should only have a laptop if you need to routinely travel, or work from home, with that specific laptop. Again in that case leaving the laptop at the office makes no sense.

    People just need to take better care of their stuff. And backup research regularly of course.

  2. #2 becca
    April 21, 2011

    Having recently suffered the ‘loss’ (harddrive recovery service eventually got it back after major $$$) of my thesis, I can wholeheartedly agree with the “BACK IT UP” sentiment. However, that wouldn’t have actually helped here. Things that would have helped: not leaving the laptop in a car.

  3. #3 Corkscrew
    April 21, 2011

    It’s not the taking it home that’s stupid, it’s the failure to have:
    1) automated backups to a central server
    2) the master copies of everything stored on a network drive
    3) full-disk encryption.

    As Dan points out, a laptop you can’t take out of the office is basically a desktop with really crappy specs.

  4. #4 Kemanorel
    April 21, 2011

    I agree with Becca… Don’t leave your laptop in your fucking car.

  5. #5 Dan Gaston
    April 21, 2011

    I’d say “Don’t leave a visible laptop/laptop bag in a car. Tossing it in the trunk, stashing it under other stuff, etc in a car is usually going to be fine. You just don’t want to be the obvious target of opportunity.

  6. #6 Eric Lund
    April 21, 2011

    As others have stated, the problem here is not the lack of backups, it’s that sensitive data were allowed to be copied to a laptop and reside there in a format such that anyone in possession of said laptop could access it. That database should have been on a master server (with adequate backups–at least hourly, in this case) behind a heavy duty firewall, with only authorized users allowed access, and only for the purpose for which they need access; the only copies of that database that should have existed would be the backups. That level of security isn’t the best possible (to do that you would have to have the database on a computer not connected to the network–Los Alamos protects their bomb codes that way), but it is an acceptable compromise given that authorized users need to be able to update the database.

  7. #7 JohnV
    April 21, 2011

    Clearly what needs to be done is address the root cause: a society in which privileged people think its ok to steal things. If you disagree with this, or even suggest that the victim could have done a single solitary thing to prevent it, then you’re blaming the victim and an evil tool of the kleptiarchy.

    haha bizzaro day for me.

    If my job provided me with a computer (a desk and cubicle/office would be grand, but a computer would be a good start) I wouldn’t have to transport a laptop back and forth. Note that I don’t do any work at home on my laptop.

  8. #8 Greg Laden
    April 21, 2011

    What Corkscrew said.

  9. #9 stripey_cat
    April 21, 2011

    I’ve always admired the approach the Queen’s Messengers take: if the documents are really important, handcuff the case to your left arm. Only a really determined thief with a machete is getting those. It stops you leaving them on public transport, too.

  10. #10 stogoe
    April 21, 2011

    if the documents are really important, handcuff the case to your left arm.

    I thought was just good sense for all covert/secure transactions, at least on TV. Sure it’s a little conspicuous but it’s a little safer.

  11. #11 Drivebyposter
    April 21, 2011

    I’ve always admired the approach the Queen’s Messengers take: if the documents are really important, handcuff the case to your left arm. Only a really determined thief with a machete is getting those. It stops you leaving them on public transport, too.

    What if you duct tape it to your chest and hide it under a puffy coat?

  12. #12 Childermass
    April 21, 2011

    If it is the data of the researcher, I really don’t care if they take the laptop home. Just back it up. They need to do that even if it stays at work.

    But…

    If that laptop has confidential information of 100 thousand people on it, then it should stay at work. No exceptions whatsoever. Any violator should be fired immediately — no warnings. Indeed the data is worth millions. Taking it home should be as ludicrous as taking a suitcase filled with several million dollars in cash so one can count it at home. Indeed the data on that laptop is worth more than several million dollars. It is worth a lot more.

    Indeed identity theft is such a problem that we might need to make it a crime to take the data home or to ever have it on a computer that is allowed to leave a secured location.

  13. #13 Childermass
    April 22, 2011

    If one wants to risk their personal data or a company wants to risk its corporate data fine. But the moment the data is the private information of members of the public, the right to work were it is convenient ends.

    And I don’t care how good the encryption is. Because it if it is done wrong or not done at all, it is all for not. And human nature being what it is, I can guarantee that many won’t do it right. And it is likely that we might never know it. And then we we have the problem that private info for 100,000 people is worth a lot on the open market.

    And yes, I am aware how much of pain, nuisance, and expense what I am proposing can be. But that cost is nothing compared to the cost to the public if criminals get access to private information. For one person’s data can result in thousands of dollars in losses.

  14. #14 Brian
    April 22, 2011

    Why is anyone in the least bit surprised that this happened?

    Human stupidity is a limitless and perfectly renewable resource.

  15. #15 g724
    April 22, 2011

    3, 5, and 6 are correct; 12 and 13 show a lack of knowledge of IT systems.

    That said, why were those individuals not provided with IT support? Seems to me that their institution bears the responsibility for providing them the support they need to do their work in a manner that does not create added risk.

    So far we have:

    = The individuals didn’t ask for support.
    = The institution didn’t offer support.
    = The individuals left an unsecure machine in a high risk location.
    = And a thief stole it.

    Going on a blame game doesn’t solve this: there were four points at which things went wrong that could have been prevented. A solution applied at any of those levels would have prevented loss of the data.

    And the lesson is: don’t let things fall through the cracks. When something breaks down at one level, someone at another level needs to step up to the plate and deal with it.

    If you are in a situation where you need IT support to ensure the security and integrity of research data or other critical data, ask for that support, and keep doing it, in writing, relentlessly. Be nice but be firm and persistent. Accept whatever support is offered.

    If you are being asked or expected to carry a machine containing unsecured critical data under risky circumstances (e.g. “take your laptop home tonight and finish the analysis”), raise the security issue in writing and ask for explicit directions as to how to proceed, and then follow those directions.

    If at that point something happens, you have a “paper trail” with which to demonstrate that you have done everything in your power to prevent loss of data. Then you and whoever else, can escalate the issue through the institution as needed to prevent a recurrence. Sometimes it takes a significant loss before an institution recognizes the need for support resources. This, unfortunately, is human nature.

  16. #16 tac
    April 22, 2011

    Its almost impossible not to have some PHI/confidential information on your hard drive (lap top or otherwise) if you work in health care.

    I can’t believe they didn’t have the hard drive encrypted—Our university requires it, on laptops that are used for university “business”.

    They are idiots for not having a back up.

  17. #17 Poodle Stomper
    April 22, 2011

    Hey ERV,

    I don’t know if you commented on this yet No Evidence of XMRV or Related Retroviruses in a London HIV-1-Positive Patient Cohort.. It came out late last month. No surprise…or XMRV in London HIV patients tested. =P

  18. #18 ERV
    April 22, 2011

    Its gotten boring reporting on all the negative papers, because they are all negative :-/

    But just to make the point clear, if anyone missed it, it is beyond bizarre that XMRV cannot be found in HIV+ patients, if it is a real human pathogen.

    Logical conclusion, taking this paper in isolation: XMRV is probably not a real human pathogen.

    Logical conclusion, taking this paper in concert with all the other XMRV-/HIV+ papers, and all the other XMRV- papers, the papers putatively explaining XMRV+ results via contamination, and the bizarre nature of the XMRV+ papers: XMRV is not a real human pathogen.

  19. #19 William Wallace
    April 23, 2011

    Who doesnt back up their data?

    I don’t know. My guess would be liberal arts and soft science majors.

    In other news, Some guy who looks oddly familiar is in a bit of trouble.

  20. #20 John Marley
    April 23, 2011

    @Willy Wally

    A guy (who has been identified) kinda looks like someone else. What’s your point? Oh, that’s right, you’re an asshole.

  21. #21 minimalist
    April 23, 2011

    John, you just don’t understand >>>REAL SCIENCE<<< the way Limp Willy does.

    And you never will.

    Barring traumatic brain injury, of course.

  22. #22 minimalist
    April 23, 2011

    Bah, that was meant to say “REAL SCIENCE the way Limp Willy does.” At least until those angle-brackets interfered.

  23. #23 William Wallace
    April 24, 2011

    “…kinda looks like…” … “…real science…”

    Yeah, not fake science like evolution. “When you were an embryo, you went through a stage where you kinda looked like a porpoise. Ergo, your anncestors and dolphins’ anncestors are the same. Evolution fact, baby. Just like gravity. Gotcha.” (Fade out with biologist patting himself on back, as he runs to Jiffy Lube to have his blinker fluid topped off).

    At least the pope strikes back. Should be fun after the science bloggers get back from their weekend of backing up their hard drives.

  24. #24 minimalist
    April 24, 2011

    “It is impossible to believe that random chance could have produced a globe-spanning cult of child molesters.”

    - Pope Creepo XXI, world authority on nothing

  25. #25 John Marley
    April 24, 2011

    @Willy Wally:

    Wow. Just…wow. Have you always been that stupid, or is it a result of massive head trauma?

  26. #26 Poodle Stomper
    April 24, 2011

    In order to correct Willy, one would first need to take him through the very basic Biology 101 classes and then work their way up. I don’t really have the desire, atm. Anyone who does is welcome to it.

  27. #27 John A Marley
    April 24, 2011

    In order to correct Willy, he would first have to be willing to learn. Even if someone out there has the desire, take my advice: don’t waste your time.

  28. #28 William Wallace
    April 24, 2011

    You have failed to identify the biggest problem. In order to correct me, you’d first have to be correct. Given the fact that “stupid” is one of the biggest words in a science blogger’s vocabulary, it doesn’t, “like”, look promising.

    “Do ya kinda git it?”

  29. #29 John A Marley
    April 26, 2011

    Given the fact that “stupid” is one of the biggest words in a science blogger’s vocabulary,

    Only with regard to trolls.
    “Do ya kinda git it?”

  30. #30 OleanderTea
    May 7, 2011

    Why are people storing that kind of information on their laptops in the first place? I work in health insurance IT, and my work in progress is stored on a share drive on the workplace server; I can log in to that server from home.

    Seriously, I don’t get it. Then again, a hospital employee here in Massachusetts left folders containing patient information on the T, so I’m just going with “people don’t think these things through”.

  31. #31 cvghhsdf
    July 23, 2011

    sdrtge

  32. #32 EvilYeti
    January 24, 2012

    Wow, can’t believe I missed this one.

    My full-time job is as a security guy for a major research University. A few years ago I interviewed for a CISO position at one of our affiliates.

    I was actually asked about whether I would allow scientists to bring sensitive data out of the office on laptops. I emphatically stated no, as I mentioned that in my experience they were much more likely to lose it than actually do anything useful with it. If they want to work, they can come into the office. It’s why it was built, after all.

    Needless to say, I didn’t get the gig.

    So, what needs to change is that the security guys need to be able to tell the researchers what to do and not the other way around. Until then this is going to keep happening.