![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Boeing Fires Employee whose Laptop was Stolen
- Thread starter Rich Tate
- Start date
Sometimes people can't control where somone steals their laptop, it can be at office, during a business trip, at home... even when it's secured. However, I think management is trying to save face and cover the tracks so to speak with firing an employee.
Now if the employee was negligent, then yes, they should be gone.
Now if the employee was negligent, then yes, they should be gone.
Every time I hear of a laptop stolen with a lot of personal data, I wonder why is that information on the laptop to begin with?
Why do they put sensitive information on a laptop that is so easily portable and stolen? Even if the laptop is closely guarded or "secure", this type of information should not be stored on laptops in my opinion.
Why do they put sensitive information on a laptop that is so easily portable and stolen? Even if the laptop is closely guarded or "secure", this type of information should not be stored on laptops in my opinion.
- Joined
- Jan 12, 2004
- Messages
- 21,888
Whether the firing was justified or not depends a lot on information we don't have. Perhaps the employee wasn't authorized to have that kind of information on the laptop? I personally use Remote Desktop software to interface my remote work stations with my office PC. It keeps me on one desktop, and as long as I don't store the password, anything that happens to the remote pc won't compromise any company information.
ComputerBox34
[H]F Junkie
- Joined
- Nov 12, 2003
- Messages
- 13,768
No laptop should have the personal info of 400,000 people on it. That info should be on servers in a security tight room, no where else. Scary to think where all of our personal info is right now...
ComputerBox34
[H]F Junkie
- Joined
- Nov 12, 2003
- Messages
- 13,768
the-one1 said:
Nevertheless, confidencial data of thousands of people is still contained on that hard drive. If the theif is smart enough, he can easily extract that data and then sell it to someone who wants it. Not mention, I'm sure that there's plenty of CC info on those drives as well.
In my experience, most users are too incompetent to be trusted with the security of their company's IP and HR information outside of the enterprise environment. Likewise, the catch22 of ease-of-access mandated by the C**'s (CEO, COO, etc etc) who are equally as incompetent punches huge holes in the data decurity the company has expended millions on to implement.
I like the phrase about how the entire chain of management will be "reprimanded" for this incident. but what about the executive who signed off on policy that didn't place tighter restrictions on the access of EDP equipment to corporate data interests?
Each laptop should have been configured to only allow the user logged in to write to encrypted file stores on the disk if it was going to be used to hold that kind of personal information, and any external media should have been disallowed write access to any removable media. Additionally this kind of portable device should have been equipped with an anti-theft transponder system, as well as a password protected boot access. This should have been handled by their corporate IT department.
If the bone head e mailed this information to his home computer, then I could see where this was grounds for immediate termination. Likewise if he intentionally circumvented the security management, the same applies.
Until executives get their heads out of their anuses and realize that data security is not meant to be convenient, this BS will continue, and the lowest man on the totem pole will be scarified int he interest of stock prices. Too bad the financial analysts still don't have a clue about data security, except what the marketing department at Symantec tells them.
/end rant
I like the phrase about how the entire chain of management will be "reprimanded" for this incident. but what about the executive who signed off on policy that didn't place tighter restrictions on the access of EDP equipment to corporate data interests?
Each laptop should have been configured to only allow the user logged in to write to encrypted file stores on the disk if it was going to be used to hold that kind of personal information, and any external media should have been disallowed write access to any removable media. Additionally this kind of portable device should have been equipped with an anti-theft transponder system, as well as a password protected boot access. This should have been handled by their corporate IT department.
If the bone head e mailed this information to his home computer, then I could see where this was grounds for immediate termination. Likewise if he intentionally circumvented the security management, the same applies.
Until executives get their heads out of their anuses and realize that data security is not meant to be convenient, this BS will continue, and the lowest man on the totem pole will be scarified int he interest of stock prices. Too bad the financial analysts still don't have a clue about data security, except what the marketing department at Symantec tells them.
/end rant
BladeVenom
Supreme [H]ardness
- Joined
- Jun 29, 2005
- Messages
- 7,707
I agree that those above him are just as incompetent and culpable as he was.
thedude42 said:
Ah, there ya go - trying to inject logic and reason into the situation....
Of course, what you say is true. CEO's/CFO's won't budget money that MIGHT pay for itself that year, and won't want to pay for it year after year at ever increasing cost, for something they MIGHT wish they had.
I'm a former IT contractor from Boeing, and I can tell you their IT department(s) are so chock full of bureaucracy that the stuff that makes sense (not storing sensitive files locally/using remote access via VPN instead, et al) would never get implemented.
My current employer is having the same problem. Not to get off-topic, but we're in desperate need of a backup system, reduntant fiber, failover PIX and more for our system, but getting our IT director to go to his boss for the funds is like trying to get blood from a turnip. They're not going to spend the $10,000 needed for network redundancy that they might never use.
The same applies in this story.
When I was at Boeing, employees didn't store informaton locally. Not for security reasons, but simply because a hardware failure would set them back weeks, if not months in their work. Then again, there were (and problably still are) employees there who think the rules don't apply to them and do it their own way - my educated guess as to what happened in this case.
It makes absolutely no sense why someone with a database of names like that would jeopardize it knowingly. They did it for convenience, plain and simple. Either they had no remote access into the network to use the data from home, didn't know how to set it up, or simply wanted faster load times that what it would be should the front-end be connected to the database over the network vs local.
I have no sympathy at all for this individual.
Lethal
ViragoAdmin Emeritus
- Joined
- May 27, 2000
- Messages
- 28,704
I doubt there was any personal credit card info involved. Why would Boeing have employees' personal CC #s? (Company issued CCs is another matter.)ComputerBox34 said:
I used to work for a major consulting firm that based all its financial info on individuals' Social Security Numbers. While the info was only stored on a server (to which limited people had access), it was standard operating procedure to run WIPs (Work in Progress reports) and email them to the project managers and partners involved or to give them printouts, both of which would include the SSNs of every person on a given project.
Heck, I even had a printout of nothing but the SSNs of every professional staff in the region so I could look up what projects they were on. A stolen laptop or briefcase and you could put literally thousands at risk for identity theft.
I was also expected to replicate entire databases of confidential company sales/billing info to my laptop so that I could pull it up at off-site meetings. Yes, you had to log into the network to access these things initially, but there was absolutely no encryption or login required to access anything subsequently stored locally on your laptop.
I agree the higher-ups are to blame for lax security. Stupid business practices FTL.
Taranis17 said:
Another one of those "you know you work in It when..." statements. Can't tell you how many times I've heard that EXACT statement
Taranis17 said:
Funny, same here.
Taranis17 said:
I guess I just give him the benefit of the doubt due to my own sense of responsibility as an admin and the disturbing trend I have seen in the past few years of blatant disregard of the responsibility of those with actual authority.
At the very least all businesses should encrypt their laptop harddrives. Its not that hard and the cost is well worth it if you manage to avoid even one lawsuit due to lost data belonging to a client or customer.
Employees, at all levels, are complete freaking idiots. Even the IT guys are wickedly stupid because they are always to arrogant (If you are an IT guy yourself and you just thought "No I am not to arrogant" then I believe my point is made). Never trust anyone, even yourself as the head of IT, and spend ridiculous amounts of money on securing data in ways the user would have to work hard at to fark up, and that works without them having to do anything on their own.
Employees, at all levels, are complete freaking idiots. Even the IT guys are wickedly stupid because they are always to arrogant (If you are an IT guy yourself and you just thought "No I am not to arrogant" then I believe my point is made). Never trust anyone, even yourself as the head of IT, and spend ridiculous amounts of money on securing data in ways the user would have to work hard at to fark up, and that works without them having to do anything on their own.
Zepher
[H]ipster Replacement
- Joined
- Sep 29, 2001
- Messages
- 20,924
LabRat said:
I didn't see the link to this news thread, and I don't see where it said the data was or wasn't encrypted and whether the laptop had been recovered, so if the laptop is still out there, then the only one who would know if it was or wasn't encrypted is the employee who had the laptop last. Did he say the data wasn't encrypted??
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
Why would Boeing do this in the first place? They should all be fired...
Why not put the sesnitive information on a highly secured server, then have limited access given to a few people.. ??? And all non-approved IP's be firewalled from the server.... Once a laptop is stolen, the IP is firewalled... problem solved.
This is rather silly. What if more employees steal laptops to take higher-ups positions? lol
Why not put the sesnitive information on a highly secured server, then have limited access given to a few people.. ??? And all non-approved IP's be firewalled from the server.... Once a laptop is stolen, the IP is firewalled... problem solved.
This is rather silly. What if more employees steal laptops to take higher-ups positions? lol
Youri Carma
Gawd
- Joined
- Dec 3, 2006
- Messages
- 538
I am always wondering how much data in Gbytes is involved. Is it 1,2 or 4 Gbytes or 10?
A lot of data without pics usually don't requires much space.
I quess that there are even compagnies who could put there backup on a 4Gig memory stick or small harddisk. This memory stick can be hold in your wallet or better in a safe.
Laptops stolen with sensitive info is realy an issue lately happened also here with somebody of the departement of justice.
So keeping senstive info on a laptop is not a sensible thing to do they are a easy target for theft.
A lot of data without pics usually don't requires much space.
I quess that there are even compagnies who could put there backup on a 4Gig memory stick or small harddisk. This memory stick can be hold in your wallet or better in a safe.
Laptops stolen with sensitive info is realy an issue lately happened also here with somebody of the departement of justice.
So keeping senstive info on a laptop is not a sensible thing to do they are a easy target for theft.
Astrogiblet
[H]ard|Gawd
- Joined
- Oct 4, 2006
- Messages
- 1,147
ComputerBox34 said:
Yea.. it really makes you think..
I've bought from newegg, ebay, amazon, buy.com, etc using social security numbers, banking information, etc..
All of our information goes to those companies, the financial institutions they use, their partners (in some cases), etc.. At the end of the day, probably 10's of thousands of people have access to your information
I really wonder why people worry so much about their SS numbers being stolen.. I always think to myself when somebody complains about giving it out that any bum that works at a cell phone store has access to that info whenever they want, as well as any bank worker, credit card company, anywhere you pay a bill at, etc. Millions of people have your SS number at the tip of their fingers. I'm not saying you should just hand it out.. but worrying about that kind of thing is kinda stupid IMO.
This is how I do it too.Oldie said:
I also agree with your first statement. What if the employee was careless with company property (i.e., left it on a table in a Starbucks while making a restroom break)? What if Boeing mandates encryption standards for portable computers, and the employees' machine wasn't in compliance? There's so many things we don't know, and aren't likely to know.
I think if laptops are going to have sensitive data at all, that there needs to be a mandatory disk-encryption system that won't boot the machine without the key (and hopefully, the system uses two-factor authentication to make it more secure). But better yet that sensitive employee information not be allowed on laptops at all. Remote Desktop, Citrix, etc. are much better ways to be able to get to data without having it stored on the local hard disk of a portable machine.
Xilikon
[H]ard|DCer of the Year 2008
- Joined
- Oct 12, 2004
- Messages
- 15,010
IMHO, firing the one who lost the laptop with the personnal data isn't enough. We must also fire the IT team for not caring about the security of this database...
Like others said, it should be locked in a server room with only a few ppl having access to them directly. Remote data checking should be done via some secure means and with the ability to be cut off without the proper login procedure.
Like others said, it should be locked in a server room with only a few ppl having access to them directly. Remote data checking should be done via some secure means and with the ability to be cut off without the proper login procedure.
- Joined
- Jan 12, 2004
- Messages
- 21,888
I was just talking to a friend of mine who's wife works for Boeing. For at least her division, they've put out a notice that HR personell can no longer work remotely. Some of these people had to drive around 7 hours to get to the closest Boeing facility, and they don't even have an office to work in.
Isn't it great when 1 person messes it up for everyone else? Boeing has a process for taking in a remote device, and getting an OK from the IT department to confirm that the information has been encrypted appropriatley before it can be used. Someone got lazy, and royally screwed over more responsible individuals.
Nutz.
Isn't it great when 1 person messes it up for everyone else? Boeing has a process for taking in a remote device, and getting an OK from the IT department to confirm that the information has been encrypted appropriatley before it can be used. Someone got lazy, and royally screwed over more responsible individuals.
Nutz.
WS6 said:
Sorry I didn't see this previously. I'm not sure exactly how Boeing knows the data was not encrypted, but according to a Boeing spokesman (Tim Neale), it was not.
http://seattlepi.nwsource.com/business/295982_boeinglaptop14ww.html
http://www.computerworld.com/action...ArticleBasic&articleId=9006098&intsrc=hm_list