Anger is seething among several employees of the city of Brighton (Colorado) whose bank account numbers, social security numbers and addresses may have been compromised by the city’s lead IT engineer.
Jeromy King was playing in a charity golf tournament Monday at the Ranch County Club in Westminster when someone apparently took a laptop computer from his pickup.
The laptop contained the sensitive payroll information of city employees.
[…]
Johnson did say the information on the computer was encrypted.
Read more on TheDenverChannel.com
The companion news video indicates that almost 350 employees had data on the laptop.
If the data on the laptop was encrypted, then:
1) Why was this inadequate security?
2) Why was anything compromised?
Or did the person just CLAIM it was encrypted, or was it encrypted with a key written on the laptop/etc. so as to render the encryption moot?
If you’re asking why this incident got reported on a web site named “Office of Inadequate Security,” then I should point out that not all incidents reported on the site involve inadequate security. That said, I personally do consider it “inadequate security” to leave a device with PII in a vehicle.
As to the encryption, some people might argue that we shouldn’t consider this a breach at all because there was encryption (and some laws certainly would grant safe harbor for encryption), but if encryption can be cracked, should we be so quick to say “no breach” without knowing how strong the encryption was? Nor do we know whether the encryption key was with the laptop.
If you were running this web site, would you have included this incident?