By Petula Dvorak
Washington Post Staff Writer
Thursday, June 22, 2006
It has become the police-blotter item of our age: A small-time burglar swipes a laptop and fences it for a quick $200 at a pawnshop.
But increasingly, these petty crimes are causing anxiety in executive suites across the country as one corporation after another alerts customers that laptops holding troves of sensitive records have been stolen.
Week after week, Americans who conscientiously shred every piece of mail and all credit card receipts learn that their personal information was stored in the laptop of a low-level employee who casually took it out of the office and that it has ended up in the hands of some penny ante crook.
"We used to be worried about credit card receipts, and tearing those up. Now we have to worry about everybody's spreadsheets," said Scott Larson, a former FBI agent who used to track cyber criminals and is now managing director for Stroz Friedberg LLC, a consulting and technical services firm.
In the past six weeks, laptop thieves have found themselves holding thousands of credit card numbers from Hotels.com, birthdates from District pensioners who put their retirement funds in ING, addresses of nuclear power plant employees, account numbers of Mercantile Potomac Bank customers -- or even the Social Security numbers of people who work for Equifax, the credit reporting giant.
Untold millions of Americans are affected. Last month, the U.S. Department of Veterans Affairs reported that a stolen laptop and computer hard drive taken from an employee's house in Montgomery County contained personal information on 25.5 million veterans and military personnel.
Montgomery police have been distributing fliers with a photograph and a description of the stolen laptop. "It is a priority of the department to find that laptop," said Lt. Eric Burnett, a police spokesman.
Social Security numbers and the birthdates of 13,000 District workers and retirees were among the data contained on a laptop stolen last week from the Southeast Washington house of an employee of ING U.S. Financial Services.
And Wednesday, Equifax reported that an employee's laptop was stolen on a London train, compromising the personal records of about 2,500 of the company's Atlanta-based employees.
"By the time you add up a million here and 900,000 there and 4 million over there, you've covered most of the credit-holding and wage-earning population of the U.S.," said Marcus J. Ranum, a firewall designer, in an e-mail. "I'm sure my math is suspect, but I estimate that there are about 156 Americans whose personal information has not yet been compromised."
The thefts are being reported in large part because many states have passed laws requiring that they disclose potential data breaches.
What is striking to many people is how widespread and haphazard the spread of personal information has become in companies and government.
"Quite often, you see the line worker has more data than the upper echelons of the company or agency," Larson said. "The secretary for the CEO has more data on a laptop than the CEO of the company. That's the person doing the memos, doing the spreadsheets. And that's where the sensitive information is."
The ING employee whose laptop was stolen was a working-class type, fastidious enough to report that "nine cans of beer and two jars of change" were also stolen from his Southeast D.C. house, according to police.
Virginia security consultant Kevin Mandia said that databases are simply no longer guarded like the "crown jewels" inside giant, blinking mainframes, and companies are opting for the cost-effectiveness of giving employees laptops rather than desktop computers.
But laptops go to employees' homes, where they can be stolen. Encrypting the data would be one safeguard, but some computer experts say encryption software is cumbersome, expensive and rarely implemented.
Laptop theft is clearly on the rise in the District, said Capt. Michael Reese, who heads the D.C. police department's special investigations unit. Reese said the laptops turn up in pawnshops for about $400 or on the street sold by junkies for $20. But he doesn't remember ever tracing a case of identity theft back to a stolen computer.
"There are various ways that people have their identity stolen: wallet, trash, copying your name at the restaurant, looking at a credit card real quick, all different ways," Reese said. "But not the kind of 'I Spy' stuff like getting it off a stolen laptop."
Mandia's laptop was stolen several years ago. He found it at a pawnshop on Lee Highway being sold for $400, but no one had opened it, turned it on or accessed the highly sensitive unencrypted data it contained, he said.
That has been the case with most such thefts.
If someone wants to be an identity thief, it's far easier to go on overseas-based Web sites that auction off blocks of stolen credit card numbers, eBay-style, said Michael Vatis, a lawyer and executive director of the Markle Foundation's Task Force on National Security in the Information Age.
Vatis said it would be laborious, time-consuming and a gamble for identity thieves to target middle managers, follow them and steal their laptops, hoping a database would be there.
"If this is your business, stealing people's identity, you're better off with a business model where you're not looking for a needle in a haystack but you're looking for hay, and there are haystacks everywhere," he said.
But assuming that stolen data will remain untapped is dangerous, said Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy group in San Diego.
Givens said it's probable that, in many cases, laptops are taken by unsophisticated burglars uninterested in what's inside. But she said the majority of identity theft cases are never traced back to the origin of the theft.
"I don't want to be alarmist, but there are so many breaches being reported these days," Givens said. "We all just need to assume our personal information, especially our Social Security numbers, are at risk."
Staff writer Ernesto Londoño contributed to this report.