Taking another person's laptop without their permission or consent
Laptop theft (or notebook theft) is a significant threat to users of laptop computers. Many methods to protect the data and to prevent theft have been developed, including alarms, laptop locks, and visual deterrents such as stickers or labels. Victims of laptop theft can lose hardware, software, and essential data that has not been backed up. Thieves also may have access to sensitive data and personal information. Some systems authorize access based on credentials stored on the laptop including MAC addresses, web cookies, cryptographic keys and stored passwords.
According to the FBI, losses due to laptop theft totaled more than $3.5 million in 2005. The Computer Security Institute/FBI Computer Crime & Security Survey found the average theft of a laptop to cost a company $31,975.[1] In a study surveying 329 private and public organizations published by Intel in 2010, 7.1% of employee laptops were lost or stolen before the end of their usefulness lifespan.[2] Furthermore, it was determined that the average total negative economic impact of a stolen laptop was $49,256—primarily due to compromised data, and efforts to retroactively protect organizations and people from the potential consequences of that compromised data. The total cost of lost laptops to all organizations involved in the study was estimated at $2.1 billion.[3] Of the $48B lost from the U.S. economy as a result of data breaches, 28% resulted from stolen laptops or other portable devices.[4]
In the 2011, Bureau Brief prepared by the NSW Bureau of Crime Statistics and Research it was reported that thefts of laptops have been on the increase over the last 10 years, attributed in part by an increase in ownership but also because they are an attractive proposition for thieves and opportunists. In 2001 2,907 laptops were stolen from New South Wales dwellings, but by 2010 this had risen to 6,492, second only to cash of items taken by thieves. The Bureau reports that one in four break-ins in 2010 resulted in a laptop being stolen. This startling trend in burglaries lends itself to an increase in identity theft and fraud due to the personal and financial information commonly found on laptops. These statistics do not take into account unreported losses so the figures could arguably be much higher.[5]
Businesses have much to lose if an unencrypted or poorly secured laptop is misappropriated, yet many do not adequately assess this risk and take appropriate action. Loss of sensitive company information is of significant risk to all businesses and measures should be taken to adequately protect this data. A survey conducted in multiple countries suggested that employees are often careless or deliberately circumvent security procedures, which leads to the loss of the laptop. According to the survey, employees were most likely to lose a laptop while travelling at hotels, airports, rental cars, and conference events.[6]
Behling and Wood examined the issue of laptop security and theft. Their survey of employees in southern New England highlighted that not only were security measures fundamentally basic but that training employees in security measures was limited and inadequate.
100% of the surveyed employees had access to company information via a laptop from remote sites that included their own homes.
78% were authorized to store company data on their laptop.
36% of businesses did not provide security training.
They concluded that trends in laptop thefts needed to be monitored to assess what intervention measures were required.[7]
Inside protection
Passwords are no longer adequate to protect laptops. There are many solutions that can improve the strength of a laptop's protection. Full disk encryption (FDE) is an increasingly popular and cost-effective approach. FDE can be taken on from a software-based approach, a hardware-based approach, or both-end-based approach. FDE provides protection before the operating system starts up with pre-boot authentication, however precautions still need to be taken against cold boot attacks.
There are a number of tools available, both commercial and open source that enable a user to circumvent passwords for Windows, Mac OS X, and Linux. One example is TrueCrypt which allows users to create a virtual encrypted disk on their computer.[8]
Passwords provide a basic security measure for files stored on a laptop, though combined with disk encryption software they can reliably protect data against unauthorized access. Remote Laptop Security (RLS) is available to confidently secure data even when the laptop is not in the owner's possession. With Remote Laptop Security, the owner of a laptop can deny access rights to the stolen laptop from any computer with Internet access.
Physical protection
A number of computer security measures have emerged that aim at protecting data. The Kensington Security Slot along with a locking cable provides physical security against thefts of opportunity. This is a cord that is attached to something heavy that cannot be moved, and is then locked into the case of the laptop, but this is not 100% secure.[9]
Another possible approach to limiting the consequences of laptop theft is to issue thin client devices to field employees instead of conventional laptops, so that all data will reside on the server and therefore may be less liable to loss or compromise. If a thin client is lost or stolen, it can easily and inexpensively be replaced. However, a thin client depends on network access to the server, which is not available aboard airliners or any other location without network access.
This approach can be coupled with strong authentication as such single sign-on (SSO).
In 2006 a laptop in custody of a data analyst was stolen that contained personal and health data of about 26.5 million active duty troops and veterans.[12] The agency has estimated that it will cost between $100 million to $500 million to prevent and cover possible losses from the data theft.[13] In 2007, the United States Department of Veterans Affairs agreed to pay $20 million to current and former military personnel to settle a class action lawsuit.[14]
In 2007 the Financial Services Authority (FSA) fined the UK's largest building society, Nationwide, £980,000 for inadequate procedures when an employee's laptop was stolen during a domestic burglary. The laptop had details of 11 million customers' names and account numbers and, whilst the device was password protected, the information was unencrypted. The FSA noted that the systems and controls fell short, given that it took the Nationwide three weeks to take any steps to investigate the content on the missing laptop. The substantial fine was invoked to reinforce the FSA's commitment to reducing financial crime.[15]
In 2010 VA reported the theft of the laptop from an unidentified contractor; the computer contained personally identifiable information on 644 veterans, including data from some VA medical centers' records.
After learning about the unencrypted laptop, VA investigated how many VA contractors might not be complying with the encryption requirement and learned that 578 vendors had refused to sign new contract clauses that required them to encrypt veteran data on their computers, an apparent violation of rules.
Common locations
LoJack for Laptops has compiled a list of the top ten places from which laptops are stolen:[16]
Public Schools (K–12)
Residential Properties
Automobiles (excluding taxis)
Businesses/Offices
Universities and Colleges
Restaurants and Cafes
Hotels and Motels
Dormitory
Airports
Public Transit (taxi, bus, train)
To provide some context, the Ponemon Institute released a study that indicates over 600,000 laptops will be lost or stolen at US airports every year, with 65–69% of them remaining unclaimed.[17]
^Fitzgerald, Jacqueline; Poynton, Suzanne (May 2011), "The changing nature of objects stolen in household burglaries", NSW Bureau of Crime Statistics and Research; Crime and Justice Statistics Bureau Brief, 62, Department of Attorney General and Justice: 1–12
^Behling, Robert; Wood, Wallace (2007). "Laptop Theft: A Growing Concern For Organizations". Journal of Computer Information Systems (JCIS). VIII: 291–6.
^"TrueCrypt". TrueCrypt. Archived from the original on 24 December 2013. Retrieved 28 February 2014.