KAI RYSSDAL: You think you're doing pretty well with Internet security, don't you. Protecting your passwords and not giving out information. Well, smart as you are, the bad guys are even smarter. There were two surveys out this week from Web security companies. They say hackers aren't wasting time with viruses, anymore. They're jumping through corporate security flaws the day they're discovered. Which is how Social Security numbers can be taken from office networks. Credit-card numbers, too. Never mind what happens when laptops are stolen outright. Here's Sean Cole.
SEAN COLE: I've been trying to figure out a way to really bring home the mangnitude of this corporate laptop theft problem. And I figured the best way was to use Marketplace's tried-and-true method of imparting a whole lot of information in a very short period of time. And so, ladies and gentlemen, let's do the numbers.
About 18,000 Bank of America customers got a memo back in May saying their Social Secuirty numbers were on a laptop stolen out of an employee's car. That same month a laptop was stolen from a branch of Omega World Travel, containing the credit card info of 80,000 Department of Justice workers. Not to be outdone, Bank of America had another laptop stolen in August. In November, 161,000 Boeing employees were told that a laptop containing their Social Security numbers was lifted. Geddit? Boeing? Lifted? In February, Ernst and Young was hit. In March it was Fidelity. As I was writing this paragraph, Boeing called again to say that, since we talked, another laptop was grabbed away from an HR rep at an airport. We're talking, at least, 14 different companies, three state governmental agencies, five hospitals and nine colleges and universities. You're listening to Marketplace!
Of course, the thieves probably don't know there's a bunch of sensitive information on these laptops. In any case, they never seem to find it. All the companies I talked to said the data was password-protected and that there's been no fraud as a result of the thefts . . . yet. But password shmassword, the data's still vulnerable. So the companies have had to send out these really awkward apology letters.
JONATHAN ZITTRAIN: And you can imagine, they're starting to get better at drafting these things. You know, here's your spring newsletter. And you have some good news with it and then at the bottom . . . And by the way, we lost a bunch of your personal data and please call this number.
This is Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School. He says he's not surprised that all of this information is walking around on portable computers. People want to be productive on the run, he says. But he says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it.
ZITTRAIN: And it's strange that it's taken as long as it has to really have these practices not only shape up but to be implemented and I think there are still a number of companies out there, many of whom have employees who haven't implemented even the basics of encryption and data security.
For example, there's this financial services company called Ameriprise. It's an off-shoot of American Express. Encryption of sensitive data is company policy at Ameriprise. But when a laptop was stolen from an employee's car in December, it turned out the data on it was not encrypted — including the Social Security numbers of about 68,000 financial advisors. So the company fired the employee and basically told the rest of its staff not to be like him.
STEVEN CONNOLY: We shared with them where the policies are located, that they should read up on them, that they should know the policies.
Steven Connolly is director of communications at Ameriprise.
CONNOLLY: Some of the policies are about encryption. They also include things like securing physical assets of the company like computer laptops.COLE: Like, not putting it in your car, basically.
But education . . . even re-education can only go so far.
GREG VAN PELT: Even with all the technological solutions, there's the human element where you have to trust your colleagues.
Greg Van Pelt is a senior vice president at Providence Health and Services, a health care system that operates in the northwest. Providence Health has had four laptops stolen from employee cars since September. Smash and grab jobs. Though one was more of a "Lift the door handle and grab" job. Car was unlocked.
VAN PELT: You have to educate. You have to reeducate. And then you have to trust.
Worse yet . . . In December a bunch of computer back-up discs and tapes were stolen out of an employees car. They contained information on 365,000 Providence Health patients. And no, the company hadn't fully encrypted everything. Though it has now. The problem is Providence Health kind of has to carry this stuff around on laptops. It does home visits, updating patient information on the spot. Nonetheless, Van Pelt says the thefts have changed the company's attitude toward laptops a little bit.
VAN PELT: All I can tell you, everybody in the organization is very aware and they rarely leave the office.
COLE: The laptops do.
VAN PELT: Yes.
COLE: Do they stay in locked cars?
VAN PELT: Yes.
But only in the trunk, Van Pelt says, not the back seat. Plus, he says, field reps have wireless now so they're carrying around less information than they used to. Still, understandably, patients haven't reacted too well.
NEVA CAVATAIO: It's a bummer. It's a drag. I try so hard to protect my information.
This is Neva Cavataio, a soon-to-be graduate student in Portland. She gets some of her medication through Providence. She got a letter back in March saying her information was on one of the stolen laptops.
CAVATAIO: And you see these news reports everybody's ramming down everyone's throat: You gotta be careful with your stuff. . . . And then you give it to a hospital, which you think that they're advocates of patient privacy and stuff, and then they're leaving it thrown in the back seat of a car and it gets broken into.
Cavataio says Providence is paying a credit monitoring service to keep an eye on her pariticulars for a year, a common "I'm sorry" that companies offer in this situation. And not a cheap one. Boeing, for instance, has had 80,000 people sign up for that service. Boeing is also actually doing something about this kind of five-finger information theft. New rule: No downloading sensitive employee data onto laptops.
In Boston, I'm Sean Cole for Marketplace.