Spike in Laptop Thefts Stirs Jitters Over Data

Correction to This Article
In a June 22 Metro article, Michael Vatis's current affiliation with the Markle Foundation's Task Force on National Security in the Information Age was incorrectly reported. He was the executive director of the task force from 2003 to 2004.

"Quite often, you see the line worker has more data than the upper echelons of the company or agency," Larson said. "The secretary for the CEO has more data on a laptop than the CEO of the company. That's the person doing the memos, doing the spreadsheets. And that's where the sensitive information is."

The ING employee whose laptop was stolen was a working-class type, fastidious enough to report that "nine cans of beer and two jars of change" were also stolen from his Southeast D.C. house, according to police.

Virginia security consultant Kevin Mandia said that databases are simply no longer guarded like the "crown jewels" inside giant, blinking mainframes, and companies are opting for the cost-effectiveness of giving employees laptops rather than desktop computers.

But laptops go to employees' homes, where they can be stolen. Encrypting the data would be one safeguard, but some computer experts say encryption software is cumbersome, expensive and rarely implemented.

Laptop theft is clearly on the rise in the District, said Capt. Michael Reese, who heads the D.C. police department's special investigations unit. Reese said the laptops turn up in pawnshops for about $400 or on the street sold by junkies for $20. But he doesn't remember ever tracing a case of identity theft back to a stolen computer.

"There are various ways that people have their identity stolen: wallet, trash, copying your name at the restaurant, looking at a credit card real quick, all different ways," Reese said. "But not the kind of 'I Spy' stuff like getting it off a stolen laptop."

Mandia's laptop was stolen several years ago. He found it at a pawnshop on Lee Highway being sold for $400, but no one had opened it, turned it on or accessed the highly sensitive unencrypted data it contained, he said.

That has been the case with most such thefts.

If someone wants to be an identity thief, it's far easier to go on overseas-based Web sites that auction off blocks of stolen credit card numbers, eBay-style, said Michael Vatis, a lawyer and executive director of the Markle Foundation's Task Force on National Security in the Information Age.

Vatis said it would be laborious, time-consuming and a gamble for identity thieves to target middle managers, follow them and steal their laptops, hoping a database would be there.

"If this is your business, stealing people's identity, you're better off with a business model where you're not looking for a needle in a haystack but you're looking for hay, and there are haystacks everywhere," he said.

But assuming that stolen data will remain untapped is dangerous, said Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy group in San Diego.

Givens said it's probable that, in many cases, laptops are taken by unsophisticated burglars uninterested in what's inside. But she said the majority of identity theft cases are never traced back to the origin of the theft.

"I don't want to be alarmist, but there are so many breaches being reported these days," Givens said. "We all just need to assume our personal information, especially our Social Security numbers, are at risk."

Staff writer Ernesto Londoño contributed to this report.