Late Friday, the city of Houston revealed a laptop stolen from the car of a city employee on February 2 may have contained sensitive personal information including heath care data of city employees. It went by as a relative blip on the Friday evening radar. After all, it's the weekend and a stolen laptop is a rather bland occurrence as crimes in the big city go.
But, given the fact that the laptop was city property and likely contained a bunch of information on it related to city employees, it not only disturbing, it raises serious questions about the entire incident simply from a technological standpoint. We could also ask why the city decided to release the information late on a Friday, but we all know the answer to that one. And it absolutely should raise the debate over why the government's technology infrastructure, particularly at the state and local level, is so outdated if it is indeed there to protect employees and its citizenry. For now, we have a few basic tech questions.
How well protected was the laptop in question?
The most basic form of protection for most computers is a password. In the case of a city computer with sensitive data, we would hope that included not only requirements for strong passwords on both the machine itself and on any software or database that could compromise the data. But, that is unlikely. Anyone who has worked in any level of IT services knows the biggest security threats to any organization are its employees. Viruses acquired through sketchy emails or banned websites as well as overly weak passwords are enemy of information security people everywhere.
It would be interesting to know what security was in place on the stolen laptop and if the passwords used by the employee in question was better than "123456," which is, incidentally, the most commonly used password on the internet.
What exactly was on it that would constitute a security breach?
We got a hint when the city mentioned police investigations and social security numbers, but that is a HUGE swath of information. And it makes us wonder, how could those two things be on a SINGLE computer? Why would anyone put that information onto a portable hard drive inside a laptop? Which brings us to...
Why does the city use laptops in the first place?
One of the first rules of security is not allowing data to be portable unless absolutely necessary. The minute you put sensitive information onto a laptop and then put that into a car, you are asking for trouble. We are assuming this was a COPY of said data, but regardless, it should never end up on a laptop that can leave a secure building.
In the press release, the city said, "The City has reinforced strong measures already in place to protect against breaches. HR professionals are trained not to remove laptops from City offices unless any sensitive data is encrypted." Well, two things here. First, why would they be allowed to remove them AT ALL? Why not switch to desktops and bolt those bastards to the desks? Second, how are you trusting employees to recognize the need for encryption let alone actually deploy it? And what kind of encryption are we talking about because there are lots of options that may not be enough.
If the laptop did contain actual hard data, why isn't that stored on a server instead of on individual computers?
We Believe Local Journalism is Critical to the Life of a City
Engaging with our readers is essential to the mission of the Houston Press. Make a financial contribution or sign up for a newsletter, and help us keep telling Houston’s stories with no paywalls.
Support Our Journalism
This is the one that makes us most uncomfortable. Why in God's name would a bunch of sensitive employee and police information not be stored in a secure facility instead of on hard drives? Then, if you want to distribute laptops, you can simply add software that secures their login to the main server from remote locations without actually having the data on the machine they are using. It is pretty much how nearly everyone outside of a ridiculous espionage movie does it — no, the CIA doesn't routinely carry around lists of undercover agents on thumb drives.
It makes sense that the city might want employees to have access to work when not in the office, but those computers should come equipped only with access and not the actual data itself. That's computer security 101.
What exactly is the protocol in situations like this?
This is the one that most worries us. What are they doing to protect those who may have been exposed? It better be more than a free credit monitoring service because if one person's info gets stolen, they will need more than just a monitoring service to fix it and the city could be liable for the costs associated with any losses. Never mind the fact that police case information, which could compromise investigations and even put lives at risk, may have been involved. We certainly hope it didn't take the city 21 days to alert employees who may have been exposed. In the world of data theft, 21 days may as well be 21 years. The city has a lot to answer for and if that sensitive data really does get sold onto the dark web or ends up in the hands of credit thieves, there will be a lot more questions to answer and many of them may come in depositions instead of through the media.