With all the stories that have circulated through the news and in the depths of the internet, it’s sometimes surprising to hear that mistakes that led to the destruction of one company are being repeated by uncounted others.

This is certainly the case with Clear who, earlier this month, had reported a notebook containing the personal information of approximately 33,000 individuals missing.  It was later found to be in the same room, just a different place, but the company is not 100% certain that the data wasn’t copied off the device during the few hours it was MIA.

33,000 Names

According to the company, the notebook did not contain any biometric data, but it did contain names and drivers license information.  That said, how long can we expect to be fortunate enough to not have biometric data stolen?  If salespeople, executives, and developers have the ability to walk around people’s names, social insurance numbers, drivers licenses, credit card information and just about anything else that could cause financial or legal grief for the person who’s name it’s all attached to, how long before copies of our fingerprints or retina scans are added to the mix?  Heck, if it’s medical data, how long until digital copies of X-Rays, prescription information and a whole host of other very personal information is being carried around for the sake of expediency?

Security is a huge hassle, there’s no doubt about it.  It can get in the way of cool application features, and takes a good effort to implement properly.  To make matters worse, developers often have no idea of its effectiveness until something is lost or there’s a foiled attempt to steal such data.  We hear about the former far more often than the latter, so there’s often little comfort in hearing that “only a small subset of all the personal information stored on a server was actually lost.”

All this said, notebooks are known to “have legs.”  They’re stolen so often all around the world that it’s just plain foolish to not have an encrypted drive or, at the very least, properly encrypted databases.  A little effort can go a long way here, even though most of the time it might not appear that way.

No Reason To Panic

This story concerns me mainly because the notebook was quickly recovered.  While it’s great that Clear reported the loss immediately, even with it possibly impacting their business, I’m concerned that this company (or others) might later decide to delay reports and gamble that they’ll recover the data before much time passes.  It’s true that just because a device is missing does not mean that someone is stealing it, but how can one be certain?  How will they know that the data wasn’t copied to a USB device before a stray notebook or PDA is found somewhere it doesn’t belong?

Ones and zeroes are incredibly easy to copy.  I walk into at least a dozen medium to large businesses every week where there’s at least one notebook that’s not being watched.  It wouldn’t take much effort for me to “borrow” it for a few minutes to move some data to a USB key before returning the computer to some place it doesn’t belong.

I’d be just an amateur at data theft, but five minutes of my time could cost a company millions in damages.  Just imagine what a seasoned professional could do.