BP Loses Laptop With Oil-Spill Claimants' Personal Info 137
Oxford_Comma_Lover writes "CNN Reports that BP lost a laptop with the name, address, DOB, and SSNs of everyone who filed claims related to the big oil spill last year. In other words, everyone asking for money from them based on the spill just got their private info misplaced. There has been no allegation of bad faith."
oh, (Score:3, Funny)
Re: (Score:1)
And let this be a lesson for anyone else who would seek to extort money from those fine humanitarians at British Petroleum.
Coincidentally, I saw this earlier today:
I for one do not welcome our new corporate overlords.
Re: (Score:1)
Re:oh, (Score:5, Insightful)
Never attribute to malice that which is adequately explained by stupidity.
With such enormous levels of stupidity, the entire company should just be shut down and the entire management thrown into a mental hospital.
Yeah, that's good for Napoleon & other dictato (Score:1)
Just typical, I'm afraid. (Score:2)
Not malicious, just another spill. Likely into deep water. It'll now take them three or four months to figure out how to recover it.
Re:oh, (Score:5, Insightful)
How about an additional answer: consider well what data you carry on a mobile device.
I have serious difficulty figuring out what scenario was in play that required this particular data to be on a laptop in the first place. Some mobile sales guy needed the data to plug in at a hotel conference room and make a presentation? Some jet-setting bigwig needed to massage the data and do some data-mining while on a trans-oceanic flight?
Even if the laptop's user was tasked with "visit each of these people individually and tell them 'no' in plain English", the data should have been partial and redacted.
Sorry, but corporations - like the human beings they're comprised of - put data on theft-prone devices that shouldn't be there in the first place. Encrypted or not.
Re: (Score:2)
The obvious use that comes to mind would be a field agent going out to a town meeting where claimants are asked to come and discuss any issues they have with their i
Re: (Score:2)
The obvious use that comes to mind would be a field agent
Which utterly fails to explain why they have the date of birth, much less social security number. If they can provide a valid photo ID with their name on it to prove their identity that ought to be good enough. You might argue for a masked SSN to differentiate Joe Smith #1 and Joe Smith #1, but name and address ought to be good enough for that; if they live at the same house you can probably treat them as part of the same household. And if not, take out a pen and paper and write a goddamned exception rat
Re: (Score:2)
So upload that data daily. (Score:1)
"masked ssn" my ass! (Score:1)
You're trying too hard to excuse the corporation. (Score:1)
And such field agent should download one day's data at a time. If that scenario is not "far-fetched" then that only means that many, many people are too stupid for current technology.
Re:oh, (Score:4, Informative)
That said, disk encryption(almost certainly full disk; because you Do Not Want to have to puzzle out all the possible locations that a modern OS and suite of common programs may stash temporary files, caches, etc.) is more or less a must for sensitive information that leaves the site. It reduces the hazards of sloppy disposal even for desktops that are only supposed to leave the building at EOL.
You can get disks that do it in hardware, there are a variety of software options; but it is pretty much the bare minimum of responsible handling of sensitive data. Even better, of course, is never actually having the data on the device in the first place. With the comparatively low cost of broad internet coverage today, forcing people working on really sensitive stuff to do so only in a terminal session that actually lives on a nice cozy server back in your locked cage, with only pictures and input device events going back and forth over the (SSL secured) wire is fairly practical and means that even a badly rooted client is limited to some screengrabs and a stolen client gets nothing but a stock OS with one of the terminal clients installed.
3g mobile is far from cheap and some areas (Score:2)
3g mobile is far from cheap and some area the speeds may to low to have a good VPN / remote speed and the cost over 5GB is like $10 + per GB and don't even think about roaming Adam Savage hit $11,000 just with a few hours of web surfing in Canada on a iphone.
Re: (Score:2)
Because when you call for a hit, you want to make sure that the correct person ends up in lavender.
Re: (Score:2)
Are we? Did we get transported back to 1998 [wikipedia.org]? Think I'll put a few hundred on the Broncos!
Darn! I've checked. It's 2011 and you're an ignorant, fat, bigoted asshat.
Re: (Score:1)
Are we? Did we get transported back to 1998? Think I'll put a few hundred on the Broncos! Darn! I've checked. It's 2011 and you're an ignorant, fat, bigoted asshat.
BP acquired Amoco. That doesn't change the fact that they still have a ton of money they can use for securing important data. In the future why don't you take some time to explain whatever point you're trying to make instead of casting bile everywhere.
Re: (Score:1)
Naw, if the AC in question had been actually shilling for M$ instead of just parodying our recent influx of Microsoft shills, he'd have said that the whole incident could have been prevented by not hosting any of the data on the laptop in the first place. Bitkeeper was last year's buzzword. This year's buzzword appears to be all about yelling "To the Cloud!"
Ye
Re: (Score:2)
What, like dickless workstations in the early 90s?
I still use dickless workstations to this day.
Re: (Score:2)
Or if you'd rather not spend the cost of a game console on an operating system just to use its OS-specific encryption, just use Truecrypt, a multi-platform encryption solution that costs $0 and can do everything BitLocker can and more.
Re: (Score:1)
Yes, my Windows machine runs exclusively Microsoft. None of that 'Firefooks' and 'Googlidoo' for me. Only Microsoft. Microsoft and Adobe. Yes, Microsoft and Adobe.. and Java.. these three programs I run on my Windows machine. There's no reason to run anything else. And your machine stays squeaky clean. For safe computing use only Microsoft recommended products. Four out of five dentists agree..
Re: (Score:2)
"Loosing" it? Did they run out of glue?
Chronically incompetent (Score:1)
These people defy belief ...
Do they seek out morons in their corporate recruitment program, or are they just unlucky.
Re: (Score:2)
The morons are the ones who would work best under the managers. It's not deliberate selection, merely a compatibility issue.
SSN? (Score:3, Insightful)
Why do they need your SSN to process a damages claim?
Re: (Score:1)
My same thoughts about the DOB too. Driver's license number I could understand, but SSN and DOB? Are they going to fill out a w-4 for them? Maybe a 1099-MISC.
Re: (Score:2)
They're going to be paying them reparations, or at least some fraction of them... So, yes, there are almost certainly going to be tax implications.
Re: (Score:2)
Why should only people who drive be able to claim? Even in the parts of the US affected driving is not mandatory...
Re: (Score:1)
Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check. So, besides toting your social security card and your birth certificate around with you to prove your identity, it's more convenient to use a state issued ID. In this example, I used a driver's license as a quick example of a state issued identification card with a number, since ALL states use a unique number on these cards, be it a driver's license or a plain ID card.
I don't have anything against th
Re: (Score:1)
Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check.
Most banks use some form of identity verification. However, at least the last bank account I opened, this did not involve the presentation of any physical paperwork. I certainly didn't need a birth certificate, I simply told them my SSN, and I didn't present any state issued ID. IIRC, when I opened a bank account back in the 80s I had to go through something like that, but not recently. As for check-cashers, I assume you're talking about people to stand around in the bank talking to people who go in? D
Re: (Score:2)
Why didn't you say passport? Oh, hang on...
Re: (Score:1)
Americans are more unlikely to have a passport vs a State issued ID.
Re: (Score:1)
Americans are more unlikely to have a passport vs a State issued ID.
But are they more unlikely to have a passport [gyford.com] or be functionally literate [usatoday.com]? For this shitty country's brainwashed masses to take their own unearned "exceptionalism" as an article of faith is just hilarious in the face of the facts.
Re:SSN? (Score:4, Informative)
For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).
Other types aren't but that doesn't mean they don't report them to the IRS anyway.
Re:SSN? (Score:4, Interesting)
For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).
The problem is tax evasion. There's a million "bubba gump shrimp boats" down there, that "on paper" never make more than a couple K of taxable income per year. But under the table they were absolutely raking it in. Cash sales to restaurants. Cash sales at the pier to brokers. Cash sales to general public and/or local fisherman whom happen to be at the pier. The only guy in LA with more cash than a dealer is a fishing boat owner. Now with the spill, there is a huge dilemma of how much money they should get from B.P., what they actually made, or what they reported to the IRS.
I'm told by relatives in LA that the IRS takes people down because they are so dumb that they buy diesel for their boat on a credit card, so its easily tracked, and they spend more money JUST ON DIESEL than they report as gross income to the IRS. Theres a whole folklore as to which marina cooperates with the feds and which marinas take cash for fuel, and how its better to buy diesel at a "gas" station for cash, pay the diesel road tax, and pour it into your boat, than to get busted, apparently offroad has a dye added so you can't burn it onroad, and boat owners buy the dye to make it look like they're burning marina diesel instead of truck diesel.
That gives some idea of how bad the tax evasion is down there. I would not be surprised if this is all a show, and the laptop mysteriously is found in the local IRS office.
Re: (Score:1)
I thought the dye just indicated it was NOT taxed for road use. Meaning if a truck on the road HAS the dye, the get in trouble. However if you use that fuel off road(on water count as off road?) You don't get in trouble for paying a tax that you didn't need to.
I guess my question is who is out there checking for fuel that was taxed, in a situation where the tax was not required?
In addition to that, my understanding of that dye, is that it tends to stay in the tank, even after re-filling with non-dye fuel. S
Re: (Score:2)
Well, some people have the same name. You dont want to justify not paying a claim to the same person twice would you?
Re: (Score:2)
They probably have to file a 1099-something to the IRS for any payments they make to claimants.
It will be interesting to see if they end up getting a bigger payment for the lost personal data than they will for their ruined lives and environment.
Re: (Score:2)
Yeah, with those strict data privacy laws the US has...
Re: (Score:2)
The same reason any non-government entity needs it: because it would be more convenient if you had a government-issued serial number, and the closest thing you have to that is your SSN, which they have no right to whatsoever.
Re: (Score:1)
It's actually a federal offense to collect, store and use the SSN of any individual. (of course it hasn't been enforced)
Bad Faith... (Score:5, Interesting)
Any sufficiently big level of stupidity is indistinguishable from malice :)
Actually it is better for you to assume malice than stupidity, because if you go after a fool, he kinda sorta deserved it anyway, if you think a malicious enemy is stupid, you are gonna pay twice for being fool yourself. Game theory in action. :)
Whew!! Not Stolen At Least! (Score:1)
just misplaced .. it'll turn up any old time ..
Huh? (Score:5, Insightful)
Re:Huh? (Score:5, Insightful)
Oh, IT told them how to securely store the data on the laptop. Him being at the executive level, promptly ignored IT directives because it was "too complicated".
I'm in a large organization, it's INCREDIBLE what hoops IT makes little ol me jump through to do things on my laptop but Executives routinely able to do and get the most insane stuff happening on their laptop. Autologin because they keep forgetting their passwords? No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....you have ANY idea how fricken hard it is to keep track of not only the main login but all the subsystems we use?
Oh, what's that? the exec has autologin with roboform installed? And this is allowed HOW? Oh right, they're the execs.
- Yo Grark
Re:Huh? (Score:5, Insightful)
No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....
I read an editorial a long time ago in the Wall Street Journal, written by a security consultant. The executive had three secretaries working for him, and they had to use the PCs from each other. The executive proudly stated that the passwords needed to be changed every week!
The consultant said that no one could deal with a different password every week. He did a MacGuyver, and used a pocket knife to open the drawers in one of the secretary's desk. There were the passwords, all written down and stored in the top drawer.
The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.
Re:Huh? (Score:4, Informative)
The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.
The worst part of your story is the actual failure mode is failure to understand the difference between encryption and authentication.
You're "supposed" to share encryption keys to transfer data, and you've got a huge known plaintext problem with encryption. So you have to change keys / passwords every week or whatever.
In comparison, the only person that knows your authentication password is one human. The computer, if done correctly, only knows a salted hash. Changing passwords is cargo cult science, it pointless. Its applying a solution from one problem to a completely unrelated problem. And it makes it worse by making password changing and resetting common and trivialized (in addition to making human management of passwords so difficult that they subvert the system as per your report). Finally it feeds illogic and stupidity, in that good security can be a PITA, therefore anything that is a PITA must be good security, right, and the more of a PITA it is the better the security must be?
Re: (Score:2)
It sounds like IT needs a clue. Where I work they put PGP FDE on every laptop. The option to encrypt is not left up to the user at all. The laptop is encrypted and that is that.
Re: (Score:1)
Re: (Score:1)
BP laptops can't be remotely wiped, but they are password protected.
Re: (Score:2)
"password protected?"
If the password doesn't get mangled into an encryption key somehow, it's not protecting anything. "Password Protection" on a laptop is like putting up a forty-foot high steel (.. colored.. plastic..) door next to a patio and hoping thieves are too distracted by the door to notice it's not actually enclosing anything.
Re: (Score:3)
"Password Protection" on a laptop is like putting up a forty-foot high steel ...
... blow-out preventer on a well, and then not keeping its batteries fully charged?
Just trying to put it in terms B.P. can easily understand given their recent history...
Re: (Score:1)
speaking of BP... (Score:4, Interesting)
There hasn't been much coverage lately of how the independent engineering team decided the blowout prevention valve's malfunction was to blame and not some active corporate malfeasance after all. On the other hand, there also hasn't been much coverage of how BP owns a lot of the oil facilities in Libya that the US military is now busy defending.
Re: (Score:1)
It seems to be just a loss (Score:3)
Shit happens! Seems like they are doing appropriate damage control (by offering free credit monitoring to affected people). And hopefully, as soon as it comes online if it gets turned on by a novice finder/stealer, it will be wiped/locked by the company's software agent.
Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary. It should be treated like any other company laptop loss, except in this case it had a copy of some rather news-worthy data.
Re: (Score:1)
It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.
Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens. /eyeroll
That whooshing sound you heard when you read the summary was the whole point going over your head. The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.
Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary.
If the data is
Re: (Score:2)
Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens. /eyeroll
The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.
You would never know that with the ruckus everyone here was raising at the start of the thread. And by the way - you conveniently ignored the fact that they are doing damage control.
If the data is sensitive, it shouldn't be copied, it should be accessible in such a way that they can do this without requiring an individual copy of the entire database on the laptop. Alternately, if this isn't feasible for the task that needs to be done on that laptop, then much higher levels of security should be required and extra care should be taken to ensure that the machines that do have the data are not stolen or lost.
This is only "nothing out of the ordinary" is the sense that irresponsible behavior and gross negligence are nothing out of the ordinary at BP.
There is a lot of difference between theory and practice. You would know that if you work for a big organization. I am not condoning the lack of precautions on the executive's part -- the executive needs to reprimanded properly, but all I am saying is that this stuff happens.
True BP may be bad and evil, but this does not mean t
Re: (Score:1)
What happens before the laptop in question comes online?
Re: (Score:2)
What happens before the laptop in question comes online?
As I said earlier, I am sure that the info is encrypted on the laptop -- it will probably be inaccessible without a proper key. And if the machine comes on, they will be able to wipe it before the OS loads.
Big organizations usually do hedge for such scenarios and have precautions and procedures in place in such events. You don't think they supply their executives with plain vanilla laptop with Windows on it with no serious authentication measures?
Re: (Score:2)
Re: (Score:2)
What makes you so sure that the info is encrypted on the laptop? Are you assuming that it is? Does the article state that it is?
I said there is a high probability not that I am completely sure. Are you aware of how organizations work with their IT infrastructure? Or do you just think that they buy computer stuff and distribute it to their employees?
Any big organization will have a plan in place for such an event as this -- it is fairly common to expect that laptops can be stolen/misplaced. And that I can be 100% sure that they have some procedure and definitely some protection layers for the data.
I stated this in my last post --
Re: (Score:2)
Eh, just another 'leak' of sorts (Score:1)
BP can't contain anything.. except payouts to its victims...
Incentives at play (Score:2)
Why would they want to lose it after paying large sums of cash?
What other events are going on with BP that would make this a distraction?
What do they gain about making this front-and-center public?
Re: (Score:2)
Why would they want to lose it after paying large sums of cash?
Well, the IRS is gonna be really pissed, but the general public getting money tax free is going to be happy. Assuming "the general public" got the cash and not some politician. Hmm.
Oh, Dear God No! (Score:2)
there's been a data spill!
i bet they find the laptop in the Gulf of Mexico.
Re: (Score:2)
If it were that case, they'd try a few ineffective things and seize proof that their measures were ineffective.
Re: (Score:2)
And someone on /. would suggest the best way to cap the data leak would be to nuke it ...
Re: (Score:1)
[...] the best way to cap the data leak would be to nuke it ...
Hmm... EMP in the laptop's last-seen general vicinity? You may be on to something, vlm.
Re: (Score:1)
there's been a data spill!
i bet they find the laptop in the Gulf of Mexico.
And they're "cleaning it up" with PR just like they "cleaned up" their oil spill with a toxic chemical called Corexit. They're very consistent, in a horrible way.
go easy (Score:1)
Everyone makes mistakes
Re: (Score:2)
Everyone makes mistakes
Here, have a nice refreshing glass of gulf water!
Re: (Score:2)
That would've been a mistake before the spill, too...
Re: (Score:1)
Everyone makes mistakes
Some more than others.
Hey! Is Obama's name in there? (Score:1)
We can find out if he's American or not. He did file a claim, didn't he?
Is this anything like (Score:1)
Failed Design (Score:1)
Re: (Score:1)
Understatement! At Symantec we didn't even let executives just download all the end-of-quarter high-value orders, and that information was vital to timely earnings estimates! We built them a reporting rdbms with "some canned queries" just like you said, which they could access via VPN or from their offices around the world. But the Finance Department did not offer the whole f'ing database to anybody to take from The Company's offices. That shit just isn't done with valuable data -- data that The Company v
"Bad faith" (Score:4, Insightful)
The bad faith isn't in losing the laptop, it's in the BP policy allowing workers to have this information on laptops that can be lost.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
The bad faith isn't in losing the laptop, it's in the BP policy allowing workers to have this information on laptops that can be lost.
At least without crypto to protect it. I keep a lot of sensitive paperwork (contracts, etc) on my laptop, but it goes in an encrypted file system that's only mounted as needed, then unmounted.
Get thee to a coffeeshop! GO!! (Score:1)
If the data was being managed via internal systems over vpn, that would be better... but that assumes that's reliably possible where these people are working.
Where there is a will, there is a way. BP lacked the will, which is to say, they don't give a fuck.
Can Haz Consequences? (Score:1)
Each and everytime... (Score:2)
It doesn't happen that often, but each and every time I read a story about a laptop being lost that held critical information, I'm asking myself the same question: How do you lose a laptop?! I've never personally heard of anyone losing a laptop. Not even misplacing one. One got stolen, but I wouldn't count this as "lost", although it is a loss.
they got leaks!! (Score:1)
Private-data leak
What next, Wikileaks?
Why SS numbers? (Score:1)
Why would BP need to collect social security numbers?
Re: (Score:1)
Why would BP need to collect social security numbers?
Maybe so they can try to recoup some of the money they're losing to paying out these claims? I wouldn't put it past 'em. =)
From the desk of Tony (Score:2)
T.Hayward
Worst case scenerio (Score:1)
Why is this data on a laptop, again? (Score:1)
WTF IT (Score:1)
I lost my laptop. My dog ate my homework. I was... (Score:2)
So, is BP is trying to implement the "I lost my laptop" excuse to keep from paying all of those claims?
What I want to know is: why do people store all of this information on individual laptops?
Things like this have happened so many times before. When will those pinheads learn?
Re: (Score:1)
What I want to know is: why do people store all of this information on individual laptops?
Two words, mschaffer: Plausible deniability.
Laptop can be remotely disabled... (Score:1)
...you think this tidbit from the article might have been included in the teaser. Lojack for laptops, encryption and passwords should be required for any company or academic laptop containing sensitive information.
Well played, BP. (Score:1)
Re: (Score:1)