BP Loses Laptop With Oil-Spill Claimants' Personal Info

Oxford_Comma_Lover writes "CNN Reports that BP lost a laptop with the name, address, DOB, and SSNs of everyone who filed claims related to the big oil spill last year. In other words, everyone asking for money from them based on the spill just got their private info misplaced. There has been no allegation of bad faith."

oh,

[lolololol]

How convenient...

Re:oh,

[PsychoSlashDot]

How about an additional answer: consider well what data you carry on a mobile device.

I have serious difficulty figuring out what scenario was in play that required this particular data to be on a laptop in the first place. Some mobile sales guy needed the data to plug in at a hotel conference room and make a presentation? Some jet-setting bigwig needed to massage the data and do some data-mining while on a trans-oceanic flight?

Even if the laptop's user was tasked with "visit each of these people individually and tell them 'no' in plain English", the data should have been partial and redacted.

Sorry, but corporations - like the human beings they're comprised of - put data on theft-prone devices that shouldn't be there in the first place. Encrypted or not.

Re:oh,

[fuzzyfuzzyfungus]

You sound like you were raised by Steve Ballmer and rocked to sleep each night by a loving marketing brochure. Lay it on a bit thicker, will you?

That said, disk encryption(almost certainly full disk; because you Do Not Want to have to puzzle out all the possible locations that a modern OS and suite of common programs may stash temporary files, caches, etc.) is more or less a must for sensitive information that leaves the site. It reduces the hazards of sloppy disposal even for desktops that are only supposed to leave the building at EOL.

You can get disks that do it in hardware, there are a variety of software options; but it is pretty much the bare minimum of responsible handling of sensitive data. Even better, of course, is never actually having the data on the device in the first place. With the comparatively low cost of broad internet coverage today, forcing people working on really sensitive stuff to do so only in a terminal session that actually lives on a nice cozy server back in your locked cage, with only pictures and input device events going back and forth over the (SSL secured) wire is fairly practical and means that even a badly rooted client is limited to some screengrabs and a stolen client gets nothing but a stock OS with one of the terminal clients installed.

Re:oh,

[Ethanol-fueled]

As an ardent Microsoft product user(they're better than Linux and they work too :), I have to agree.

Bitlocker hides all of my interspecies porn and evidence of my Ponzi schemes like a blanket over an underage ladyboy. And since I make lots of money and work for the Mormon church(they're kinda like Scientology except that they get 4 wives), it's not like anybody would be coming up to me asking to see those or anything, LOL!

Microsoft software is so good that their e-mail services don't allow those populist terrorists to hide in Tunisia, Egypt, and Yemen. Microsoft are an American icon, like Narus and AT&T are!

You know what is also good about Microsoft? They don't hire black people! No hootin' and hollerin' in that shop, nosiree. In fact, the Windows 7 EULA specifically states that,

"If your skin is darker than a paper grocery bag, you must immediately return this product in exchange for its equivalent value in food stamps"

It's no wonder why increasing numbers of Slashdot(a forum for linux and unux geeks) are seeing the light and converting to Microsoft software for their computing needs.

Re:oh,

i wonder if that laptop was the only one with the data gathered...

silly me... of course it was, otherwise there's no pont in 'loosing' it.

Re:oh,

BP : You mean Libya & Syria haven't diverted EVERYONE's attention yet? Who the fuck is still paying attention to us? Can we sue them into submission? Somebody get SONY's legal team on the phone.

Re:oh,

[Solandri]

I have serious difficulty figuring out what scenario was in play that required this particular data to be on a laptop in the first place. Some mobile sales guy needed the data to plug in at a hotel conference room and make a presentation? Some jet-setting bigwig needed to massage the data and do some data-mining while on a trans-oceanic flight?

The obvious use that comes to mind would be a field agent going out to a town meeting where claimants are asked to come and discuss any issues they have with their individual claim. He doesn't know ahead of time which claimants are going to be there, and he doesn't know if he'll have Internet access or if it'll be fast enough for him to VPN into BP's servers to pull the data from there on an as-needed basis. So he needs a copy on his laptop so he can look up the details of each individual claim. I remember similar meetings being done after the Exxon Valdez spill, between Exxon and local fishermen. Well, minus the laptops; those weren't that common back then.

Not saying that's what's happened here. The scenarios you give are certainly possible too. Just saying that putting the data on a laptop isn't quite so far-fetched.

Re:oh,

[PopeRatzo]

How convenient...

And let this be a lesson for anyone else who would seek to extort money from those fine humanitarians at British Petroleum.

Coincidentally, I saw this earlier today:

(Reuters) - Shares in oil major BP fell on Tuesday on a report the company's managers could face manslaughter charges following the Gulf of Mexico oil spill, which could lead to much higher fines over the disaster.

I for one do not welcome our new corporate overlords.

Re:oh,

How convenient...

And let this be a lesson for anyone else who would seek to extort money from those fine humanitarians at British Petroleum.

Coincidentally, I saw this earlier today:

(Reuters) - Shares in oil major BP fell on Tuesday on a report the company's managers could face manslaughter charges following the Gulf of Mexico oil spill, which could lead to much higher fines over the disaster.

I for one do not welcome our new corporate overlords.

Since when are the executives of large corporations held responsible in any meaningful way for disastrous things that happen due to their company's actions or inaction?

(captcha was "unveil")

Re:oh,

You sound like you were raised by Steve Ballmer and rocked to sleep each night by a loving marketing brochure. Lay it on a bit thicker, will you?

Naw, if the AC in question had been actually shilling for M$ instead of just parodying our recent influx of Microsoft shills, he'd have said that the whole incident could have been prevented by not hosting any of the data on the laptop in the first place. Bitkeeper was last year's buzzword. This year's buzzword appears to be all about yelling "To the Cloud!"

Yelling "To the Cloud!" has become my office's equivalent of yelling "Bingo" when playing Bullshit Bingo. Some salesweasel starts yakking on about SAAS, someone responds with "What, like dickless workstations in the early 90s?", and while the salesweasel tries to figure out what we're talking about (because he was still in high school when "the network was the computer" and diskless workstations were all the rage, running SunOS on the front end and talking to to Oracle databases on the back end) someone yells out "To the Cloud!" and everybody (except the hapless salesweasel) collapses in laughter.

Re:oh,

[suomynonAyletamitlU]

The obvious use that comes to mind would be a field agent

Which utterly fails to explain why they have the date of birth, much less social security number. If they can provide a valid photo ID with their name on it to prove their identity that ought to be good enough. You might argue for a masked SSN to differentiate Joe Smith #1 and Joe Smith #1, but name and address ought to be good enough for that; if they live at the same house you can probably treat them as part of the same household. And if not, take out a pen and paper and write a goddamned exception rather than trying to fit it into your database or whatever.

Re:oh,

[countertrolling]

Yes, my Windows machine runs exclusively Microsoft. None of that 'Firefooks' and 'Googlidoo' for me. Only Microsoft. Microsoft and Adobe. Yes, Microsoft and Adobe.. and Java.. these three programs I run on my Windows machine. There's no reason to run anything else. And your machine stays squeaky clean. For safe computing use only Microsoft recommended products. Four out of five dentists agree..

Re:oh,

[mwvdlee]

Never attribute to malice that which is adequately explained by stupidity.

With such enormous levels of stupidity, the entire company should just be shut down and the entire management thrown into a mental hospital.

Re:oh,

[lennier1]

"Loosing" it? Did they run out of glue?

Re:oh,

he doesn't know if he'll have Internet access or if it'll be fast enough for him to VPN into BP's servers to pull the data from there on an as-needed basis.

There it is, the ultimate argument for the Internet Interstate and local public facilities. Only this time private bypasses, bridges and superhighways can be added without limits similar to the highway system.

Re:oh,

To a proper M$ shill, "To the Cloud!" is synonymous to "To the Azure!" A corporate shill would not forget to mention a proper branded solution instead of a general notation used by an independent consulting house shill.

Re:oh,

Never attribute to stupidity that which is adequately explained by a desire to hurt those that bother you.

Re:oh,

[GameboyRMH]

Or if you'd rather not spend the cost of a game console on an operating system just to use its OS-specific encryption, just use Truecrypt, a multi-platform encryption solution that costs $0 and can do everything BitLocker can and more.

Re:oh,

[GameboyRMH]

What, like dickless workstations in the early 90s?

I still use dickless workstations to this day.

Re:oh,

[tlhIngan]

Which utterly fails to explain why they have the date of birth, much less social security number. If they can provide a valid photo ID with their name on it to prove their identity that ought to be good enough. You might argue for a masked SSN to differentiate Joe Smith #1 and Joe Smith #1, but name and address ought to be good enough for that; if they live at the same house you can probably treat them as part of the same household. And if not, take out a pen and paper and write a goddamned exception rather than trying to fit it into your database or whatever.

What if the field agent was going about collecting that data? Affected people come in, state your case and fill in the information, and done. For monetary compenation, I think SSN+DOB (the only way to ensure uniqueness) is required for tax purposes.

For mass disasters where the damage can be localized, it's often easier to just open a temporary office to collect all the information in person than try to handle some sort of mail in system. And human to human conversations add enough "je ne sais quoi" that people feel more comfortable that things are happening.

Re:oh,

Never attribute to stupidity what is adequately explained by venality.
With such enormous levels of greedy evil, the entire company should be shut down and the entire management hanged, drawn, quartered and the bodies sent to all the corners of the land.

Re:oh,

[ReedYoung]

Since We The People of the United States decided that it's time to re-introduce democracy to our "representatives" and "leaders."

Chronically incompetent

These people defy belief ...

Do they seek out morons in their corporate recruitment program, or are they just unlucky.

Re:Chronically incompetent

[jd]

The morons are the ones who would work best under the managers. It's not deliberate selection, merely a compatibility issue.

SSN?

[innocent_white_lamb]

Why do they need your SSN to process a damages claim?

Re:SSN?

Probably to report it to the IRS.

Re:SSN?

[yeshuawatso]

My same thoughts about the DOB too. Driver's license number I could understand, but SSN and DOB? Are they going to fill out a w-4 for them? Maybe a 1099-MISC.

Re:SSN?

[nedlohs]

For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).

Other types aren't but that doesn't mean they don't report them to the IRS anyway.

Re:SSN?

[headhot]

Well, some people have the same name. You dont want to justify not paying a claim to the same person twice would you?

Re:SSN?

Why do they need your SSN to process a damages claim?

Because they'd ask you for a SSN when you get a Kleenex if they could. The US is remarkably dysfunctional when it comes to identification numbers. Ostensibly the SSN is supposed to be private, but everything wants it, and they only give it to you on a paper card. How useful!

The country would benefit so much from any number of systems but there's a crew of Jesus freaks who think it's an unconstitutional sign of the Beast and so it won't happen.

Re:SSN?

[zippthorne]

They're going to be paying them reparations, or at least some fraction of them... So, yes, there are almost certainly going to be tax implications.

Re:SSN?

[mpe]

My same thoughts about the DOB too. Driver's license number I could understand, but SSN and DOB?

Why should only people who drive be able to claim? Even in the parts of the US affected driving is not mandatory...

Re:SSN?

[yeshuawatso]

Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check. So, besides toting your social security card and your birth certificate around with you to prove your identity, it's more convenient to use a state issued ID. In this example, I used a driver's license as a quick example of a state issued identification card with a number, since ALL states use a unique number on these cards, be it a driver's license or a plain ID card.

I don't have anything against those without a driver's license, I just used the term for convenience. You're just being an asshole.

Re:SSN?

[hazem]

They probably have to file a 1099-something to the IRS for any payments they make to claimants.

It will be interesting to see if they end up getting a bigger payment for the lost personal data than they will for their ruined lives and environment.

Re:SSN?

SSN is used to validate claims, ie, each SSN is given it's own settlement. Not everyone has a driver's license or state id.

Re:SSN?

[osu-neko]

Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check.

Most banks use some form of identity verification. However, at least the last bank account I opened, this did not involve the presentation of any physical paperwork. I certainly didn't need a birth certificate, I simply told them my SSN, and I didn't present any state issued ID. IIRC, when I opened a bank account back in the 80s I had to go through something like that, but not recently. As for check-cashers, I assume you're talking about people to stand around in the bank talking to people who go in? Do they still have those? I haven't been physically inside a bank in over a decade. I certainly haven't had any of the machines I've given checks to require me to show any form of ID beyond the ATM card itself, although I haven't used my ATM card in years, either. My web browser, which has been from where I've sent and "cashed" checks for the last few years, has never once demanded I show it any ID... which is good since I lost my webcam.

Re:SSN?

[Hognoxious]

Why didn't you say passport? Oh, hang on...

Re:SSN?

[Hognoxious]

Yeah, with those strict data privacy laws the US has...

Re:SSN?

[vlm]

For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).

The problem is tax evasion. There's a million "bubba gump shrimp boats" down there, that "on paper" never make more than a couple K of taxable income per year. But under the table they were absolutely raking it in. Cash sales to restaurants. Cash sales at the pier to brokers. Cash sales to general public and/or local fisherman whom happen to be at the pier. The only guy in LA with more cash than a dealer is a fishing boat owner. Now with the spill, there is a huge dilemma of how much money they should get from B.P., what they actually made, or what they reported to the IRS.

I'm told by relatives in LA that the IRS takes people down because they are so dumb that they buy diesel for their boat on a credit card, so its easily tracked, and they spend more money JUST ON DIESEL than they report as gross income to the IRS. Theres a whole folklore as to which marina cooperates with the feds and which marinas take cash for fuel, and how its better to buy diesel at a "gas" station for cash, pay the diesel road tax, and pour it into your boat, than to get busted, apparently offroad has a dye added so you can't burn it onroad, and boat owners buy the dye to make it look like they're burning marina diesel instead of truck diesel.

That gives some idea of how bad the tax evasion is down there. I would not be surprised if this is all a show, and the laptop mysteriously is found in the local IRS office.

Re:SSN?

Thanks for explaining the issue.

It sucks, but in my opinion these tax-evading boat owners should pretty much just be fucked by the oil spill. If they've reported income of a couple grand for the past 10 years... that's all they should be able to get in lost income. Now, the honest fishers who report their income to the IRS, I'd say they're due plenty from BP. As is the rest of the country who are indirectly affected by the spill in dozens of ways.

Re:SSN?

[GameboyRMH]

The same reason any non-government entity needs it: because it would be more convenient if you had a government-issued serial number, and the closest thing you have to that is your SSN, which they have no right to whatsoever.

Re:SSN?

reparations are like insurance payments for damaged property - no tax implications - repair payments aren't taxable.

Re:SSN?

[sys_mast]

I thought the dye just indicated it was NOT taxed for road use. Meaning if a truck on the road HAS the dye, the get in trouble. However if you use that fuel off road(on water count as off road?) You don't get in trouble for paying a tax that you didn't need to.

I guess my question is who is out there checking for fuel that was taxed, in a situation where the tax was not required?

In addition to that, my understanding of that dye, is that it tends to stay in the tank, even after re-filling with non-dye fuel. So even if you fueled up a few times with out the dye, they could still see it and know at some point you used off-road fuel.

However IANADFE (I Am Not A Diesel Fuel Expert) so perhaps someone can explain?

Re:SSN?

It's actually a federal offense to collect, store and use the SSN of any individual. (of course it hasn't been enforced)

Re:SSN?

[yeshuawatso]

Americans are more unlikely to have a passport vs a State issued ID.

Re:SSN?

[ReedYoung]

Americans are more unlikely to have a passport vs a State issued ID.

But are they more unlikely to have a passport or be functionally literate? For this shitty country's brainwashed masses to take their own unearned "exceptionalism" as an article of faith is just hilarious in the face of the facts.

Re:SSN?

Kiene Shiesse, Scherlock.

Bad Faith...

[aralin]

Any sufficiently big level of stupidity is indistinguishable from malice :)

Actually it is better for you to assume malice than stupidity, because if you go after a fool, he kinda sorta deserved it anyway, if you think a malicious enemy is stupid, you are gonna pay twice for being fool yourself. Game theory in action. :)

Sorry folks

I thought it was a good idea to carry the entire claimant database on my laptop. That way I could familiarize myself with the details of the claims, and show it to BP employees I was going to meet at another location to give them an idea of the kind of data we had collected. And if anyone happened to ask whether they were on the list, I could fire up my spreadsheet and give them an answer on the spot.

Isn't saying "no allegation of bad faith"...

... making one?

Re:Isn't saying "no allegation of bad faith"...

[ReedYoung]

No, that's admitting it, while spewing the old Bart Simpson "nobody saw me do it so you can't prove anything" at the same time.

Whew!! Not Stolen At Least!

just misplaced .. it'll turn up any old time ..

Huh?

[cultiv8]

Was it not encrypted? How long after it was "discovered" missing was it remotely disabled? Were they able to wipe it? Why do you keep this type of data on a personal laptop? Seriously BP, you guys make a lot of cash, care to tell us how much of this is going into your IT infrastructure to prevent this from happening?

Re:Huh?

[Yo+Grark]

Oh, IT told them how to securely store the data on the laptop. Him being at the executive level, promptly ignored IT directives because it was "too complicated".

I'm in a large organization, it's INCREDIBLE what hoops IT makes little ol me jump through to do things on my laptop but Executives routinely able to do and get the most insane stuff happening on their laptop. Autologin because they keep forgetting their passwords? No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....you have ANY idea how fricken hard it is to keep track of not only the main login but all the subsystems we use?

Oh, what's that? the exec has autologin with roboform installed? And this is allowed HOW? Oh right, they're the execs.

- Yo Grark

Re:Huh?

BP laptops can't be remotely wiped, but they are password protected.

Re:Huh?

[zippthorne]

"password protected?"

If the password doesn't get mangled into an encryption key somehow, it's not protecting anything. "Password Protection" on a laptop is like putting up a forty-foot high steel (.. colored.. plastic..) door next to a patio and hoping thieves are too distracted by the door to notice it's not actually enclosing anything.

Re:Huh?

[PolygamousRanchKid+]

No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....

I read an editorial a long time ago in the Wall Street Journal, written by a security consultant. The executive had three secretaries working for him, and they had to use the PCs from each other. The executive proudly stated that the passwords needed to be changed every week!

The consultant said that no one could deal with a different password every week. He did a MacGuyver, and used a pocket knife to open the drawers in one of the secretary's desk. There were the passwords, all written down and stored in the top drawer.

The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

Re:Huh?

[vlm]

The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

The worst part of your story is the actual failure mode is failure to understand the difference between encryption and authentication.

You're "supposed" to share encryption keys to transfer data, and you've got a huge known plaintext problem with encryption. So you have to change keys / passwords every week or whatever.

In comparison, the only person that knows your authentication password is one human. The computer, if done correctly, only knows a salted hash. Changing passwords is cargo cult science, it pointless. Its applying a solution from one problem to a completely unrelated problem. And it makes it worse by making password changing and resetting common and trivialized (in addition to making human management of passwords so difficult that they subvert the system as per your report). Finally it feeds illogic and stupidity, in that good security can be a PITA, therefore anything that is a PITA must be good security, right, and the more of a PITA it is the better the security must be?

Re:Huh?

[vlm]

"Password Protection" on a laptop is like putting up a forty-foot high steel ...

... blow-out preventer on a well, and then not keeping its batteries fully charged?

Just trying to put it in terms B.P. can easily understand given their recent history...

Re:Huh?

If this really is a BP laptop, this will be a BitDefender/SafeGuard type technology which encrypts the hard disk using a fairly strong key which is in turn encrypted by a boot password. The boot password could come from a token but is more likely from something the executive has to memorize. Tech support usually have a way of recovering without the boot password but that is all. Password policies govern how strong the boot password is.

Re:Huh?

RTFA. What you and most commenters are missing here is that the laptop CAN be remotely disabled, and most likely has. Probably one of those "Lojack for Laptops" companies like Absolute Software.

Re:Huh?

[dave562]

It sounds like IT needs a clue. Where I work they put PGP FDE on every laptop. The option to encrypt is not left up to the user at all. The laptop is encrypted and that is that.

Re:Huh?

[ReedYoung]

Carelessness seems to be part of BP culture throughout the organization, not just in IT matters.

Re:Huh?

[ReedYoung]

Does it seem odd to you that TFA does NOT say that the lost laptop HAS been disabled? It looks a bit queer to me that BP wouldn't want to say THAT, if that was true. And so they did not say that, I assume it is not true. That could mean the laptop is out of range or destroyed, or it could have stolen by somebody smart enough to open it up and remove the hard drive rather than just punch the power button.

"Lost"

Lost=Run over by a truck, finely ground, incinerated and buried under a dead horse.

speaking of BP...

[magarity]

There hasn't been much coverage lately of how the independent engineering team decided the blowout prevention valve's malfunction was to blame and not some active corporate malfeasance after all. On the other hand, there also hasn't been much coverage of how BP owns a lot of the oil facilities in Libya that the US military is now busy defending.

Re:speaking of BP...

"There hasn't been much coverage lately of how the independent engineering team decided the blowout prevention valve's malfunction was to blame and not some active corporate malfeasance after all."

Rachel Maddow has been talking about this all week on her show. Turns out the blowout preventer is *defective by design* and won't prevent a blowout.

http://maddowblog.msnbc.msn.com/_news/2011/03/28/6343219-what-will-happen-when-the-drill-pipe-buckles-again

Re:speaking of BP...

[ReedYoung]

Thank you. Bad news, but good to know.

It seems to be just a loss

[pankajmay]

It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.

Shit happens! Seems like they are doing appropriate damage control (by offering free credit monitoring to affected people). And hopefully, as soon as it comes online if it gets turned on by a novice finder/stealer, it will be wiped/locked by the company's software agent.

Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary. It should be treated like any other company laptop loss, except in this case it had a copy of some rather news-worthy data.

Re:It seems to be just a loss

[osu-neko]

It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.

Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens. /eyeroll

That whooshing sound you heard when you read the summary was the whole point going over your head. The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.

Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary.

If the data is sensitive, it shouldn't be copied, it should be accessible in such a way that they can do this without requiring an individual copy of the entire database on the laptop. Alternately, if this isn't feasible for the task that needs to be done on that laptop, then much higher levels of security should be required and extra care should be taken to ensure that the machines that do have the data are not stolen or lost.

This is only "nothing out of the ordinary" is the sense that irresponsible behavior and gross negligence are nothing out of the ordinary at BP.

Re:It seems to be just a loss

[rfrenzob]

What happens before the laptop in question comes online?

Re:It seems to be just a loss

[pankajmay]

Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens. /eyeroll

The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.

You would never know that with the ruckus everyone here was raising at the start of the thread. And by the way - you conveniently ignored the fact that they are doing damage control.

If the data is sensitive, it shouldn't be copied, it should be accessible in such a way that they can do this without requiring an individual copy of the entire database on the laptop. Alternately, if this isn't feasible for the task that needs to be done on that laptop, then much higher levels of security should be required and extra care should be taken to ensure that the machines that do have the data are not stolen or lost.

This is only "nothing out of the ordinary" is the sense that irresponsible behavior and gross negligence are nothing out of the ordinary at BP.

There is a lot of difference between theory and practice. You would know that if you work for a big organization. I am not condoning the lack of precautions on the executive's part -- the executive needs to reprimanded properly, but all I am saying is that this stuff happens.
True BP may be bad and evil, but this does not mean that every incident is a sinister plan unless proven otherwise. You are coloring the incident with your own biases and opinion about the company.

And as far as the laptop is concerned -- almost all such companies have multiple layers of security to log on to such machines. The machine is probably encrypted by default and will be erased as soon as its turned on. (There usually is a pre-Operating System level locking)

This leads to my original opinion that if a machine is turned on by a novice, it will be wiped out immediately. Unless someone who is determined to get at this data acquires it, and I am almost 100% sure that the data is stored on the HDD encrypted. (Why? Because almost all organizations with sensitive customer info need to)

Re:It seems to be just a loss

[pankajmay]

What happens before the laptop in question comes online?

As I said earlier, I am sure that the info is encrypted on the laptop -- it will probably be inaccessible without a proper key. And if the machine comes on, they will be able to wipe it before the OS loads.

Big organizations usually do hedge for such scenarios and have precautions and procedures in place in such events. You don't think they supply their executives with plain vanilla laptop with Windows on it with no serious authentication measures?

Re:It seems to be just a loss

[MechaStreisand]

What makes you so sure that the info is encrypted on the laptop? Are you assuming that it is? Does the article state that it is?

Re:It seems to be just a loss

[pankajmay]

What makes you so sure that the info is encrypted on the laptop? Are you assuming that it is? Does the article state that it is?

I said there is a high probability not that I am completely sure. Are you aware of how organizations work with their IT infrastructure? Or do you just think that they buy computer stuff and distribute it to their employees?
Any big organization will have a plan in place for such an event as this -- it is fairly common to expect that laptops can be stolen/misplaced. And that I can be 100% sure that they have some procedure and definitely some protection layers for the data.

I stated this in my last post -- perhaps read a little more before getting a sound-byte in?

Re:It seems to be just a loss

[MechaStreisand]

Have you ever heard of data getting illicitly retrieved off of stolen laptops? Happens all the time. It seems to me that assuming that they actually did encrypt all sensitive data without knowing that for a fact is incredibly naive.

Eh, just another 'leak' of sorts

[countertrolling]

BP can't contain anything.. except payouts to its victims...

Incentives at play

[sethstorm]

Why would they want to lose it after paying large sums of cash?

What other events are going on with BP that would make this a distraction?

What do they gain about making this front-and-center public?

Re:Incentives at play

[vlm]

Why would they want to lose it after paying large sums of cash?

Well, the IRS is gonna be really pissed, but the general public getting money tax free is going to be happy. Assuming "the general public" got the cash and not some politician. Hmm.

3g mobile is far from cheap and some areas

[Joe+The+Dragon]

3g mobile is far from cheap and some area the speeds may to low to have a good VPN / remote speed and the cost over 5GB is like $10 + per GB and don't even think about roaming Adam Savage hit $11,000 just with a few hours of web surfing in Canada on a iphone.

Re:3g mobile is far from cheap and some areas

[hedwards]

Because when you call for a hit, you want to make sure that the correct person ends up in lavender.

Re:3g mobile is far from cheap and some areas

[Hognoxious]

We're talking about British Petroleum here

Are we? Did we get transported back to 1998? Think I'll put a few hundred on the Broncos!

Darn! I've checked. It's 2011 and you're an ignorant, fat, bigoted asshat.

Re:3g mobile is far from cheap and some areas

[biek]

Are we? Did we get transported back to 1998? Think I'll put a few hundred on the Broncos! Darn! I've checked. It's 2011 and you're an ignorant, fat, bigoted asshat.

BP acquired Amoco. That doesn't change the fact that they still have a ton of money they can use for securing important data. In the future why don't you take some time to explain whatever point you're trying to make instead of casting bile everywhere.

Oh, Dear God No!

[mug+funky]

there's been a data spill!

i bet they find the laptop in the Gulf of Mexico.

Re:Oh, Dear God No!

[sethstorm]

If it were that case, they'd try a few ineffective things and seize proof that their measures were ineffective.

Re:Oh, Dear God No!

[vlm]

And someone on /. would suggest the best way to cap the data leak would be to nuke it ...

Re:Oh, Dear God No!

[cffrost]

[...] the best way to cap the data leak would be to nuke it ...

Hmm... EMP in the laptop's last-seen general vicinity? You may be on to something, vlm.

Re:Oh, Dear God No!

[ReedYoung]

there's been a data spill!

i bet they find the laptop in the Gulf of Mexico.

And they're "cleaning it up" with PR just like they "cleaned up" their oil spill with a toxic chemical called Corexit. They're very consistent, in a horrible way.

go easy

[Married+to+Christ]

Everyone makes mistakes

Re:go easy

[Dutchmaan]

Everyone makes mistakes

Here, have a nice refreshing glass of gulf water!

Re:go easy

[zippthorne]

That would've been a mistake before the spill, too...

Re:go easy

Is jus' good bidness

Re:go easy

[ReedYoung]

Everyone makes mistakes

Some more than others.

Hey! Is Obama's name in there?

[countertrolling]

We can find out if he's American or not. He did file a claim, didn't he?

Is this anything like

[twoears]

"my dog ate my homework" or the iPhone 4 left in the Silicon Valley bar by the Apple employee?

How foooortunate

Theeees seeemplifies eeeverytheeng

BP, gunning for the prize...

This is clearly a stunt to boost their odds in the Worst company in America contest. They are already a favorite to make the final match up, but this might just be the boost they need to go all the way and claim the golden poo.

Failed Design

[Gastrobot]

In my mind it seems like a failure in security to have this quantity of personal information on a laptop. If someone needs quick access to it then it should be in a database back in home base with some canned queries for whatever functions are typically needed. This approach should be sufficient anywhere that an internet connection exists. I've never used one myself but my understanding is that these days you can purchase USB sticks that connect to the internet from anywhere in reach of a cell tower and so it should be an especial rarity for a business such as BP to find themselves hindered by a lack of connectivity.

Hopefully the drive on the laptop was encrypted but even if it was the wrong way to handle this sort of data. Haven't these people been through enough from BP already?

Re:Failed Design

[ReedYoung]

Understatement! At Symantec we didn't even let executives just download all the end-of-quarter high-value orders, and that information was vital to timely earnings estimates! We built them a reporting rdbms with "some canned queries" just like you said, which they could access via VPN or from their offices around the world. But the Finance Department did not offer the whole f'ing database to anybody to take from The Company's offices. That shit just isn't done with valuable data -- data that The Company values, that is. (any company, not picking on SYMC)

This alone proves systemic indifference to and contempt of the claimants, BP's victims. An ethical judge who does even minimal due diligence to learn about industry standard Finance IT practices would at least double the settlement against BP just for letting the entire claimant database be stored on anything mobile. The industry is NEVER as careless with property or financial value as BP is with human life and their victims' identities.

"Bad faith"

[rhizome]

The bad faith isn't in losing the laptop, it's in the BP policy allowing workers to have this information on laptops that can be lost.

Re:"Bad faith"

[thegarbz]

Ahhh yes policy. I take it you don't work in IT? IT policies in most companies are generally widely regarded as a waste of time to write and are rarely followed. I mean I work for a multinational company who actually had to send out an email communication to all staff saying, "Yes downloading 5GB of porn on your lunchbreak is definitely a breach of the terms of services, which incidentally are longer than a typical EULA and expressly state things such as never keep company information on the desktop, my documents, or anything other than the network folders which we have access to from anywhere in the world anyway. But try telling the users this. ... I'm guilty of this too, I've taken my entire network drive and ticked "use offline". Between that and the use of Firefox (unauthorisied software) I'm definitely on the naughty list.

Re:"Bad faith"

[emt377]

The bad faith isn't in losing the laptop, it's in the BP policy allowing workers to have this information on laptops that can be lost.

At least without crypto to protect it. I keep a lot of sensitive paperwork (contracts, etc) on my laptop, but it goes in an encrypted file system that's only mounted as needed, then unmounted.

Re:"Bad faith"

BP has feet on the ground dealing with the various claimants so I'm not surprised they have that kind of data on laptops in the field, and don't think there's anything wrong with that. If the data was being managed via internal systems over vpn, that would be better... but that assumes that's reliably possible where these people are working.

I would be disappointed to find out that it wasn't an encrypted filesystem (the article doesn't say), but it does sound like they have endpoint management that allows them to do remote lock and wipe on the machines. If we can assume the former, then combined with their follow-up support (credit monitoring, etc), I think we can say they've done their due diligence and there's little to worry about.

Re:"Bad faith"

[ReedYoung]

What multinational company? And what are their policies regarding financial data? A bit stricter than their policies on Firefox v. IE, I'll wager.

Re:"Bad faith"

[thegarbz]

You make it sound like the end user knows the difference. The policy basically is a catch all to not keep any data anywhere except our personal drives, which they provide us access to from anywhere in the world anyway. I mean we don't go a week without hearing that someone lost a laptop of social security numbers, a customer database, a list of voters, etc. Are you saying these companies all had no IT policy to not to keep sensitive data on a laptop/usb stick?

Re:"Bad faith"

[ReedYoung]

What multinational company? And what are their policies regarding financial data?

Can Haz Consequences?

[ohnocitizen]

At this point is there any expectation that actions like this will carry consequences outside of an apology for a company like BP? After the oil spill, the Texas incident and their subsequent handling of both - it seems like an issue like this will disappear from the media's attention span in short order.

Just typical, I'm afraid.

[jd]

Not malicious, just another spill. Likely into deep water. It'll now take them three or four months to figure out how to recover it.

More like bad proceedures.

They learnt their secrecy from the British government and security services. They seem to distribute secret information like this all the time.

Each and everytime...

[geogob]

It doesn't happen that often, but each and every time I read a story about a laptop being lost that held critical information, I'm asking myself the same question: How do you lose a laptop?! I've never personally heard of anyone losing a laptop. Not even misplacing one. One got stolen, but I wouldn't count this as "lost", although it is a loss.

they got leaks!!

[georgesdev]

Oil leak
Private-data leak
What next, Wikileaks?

Incompetants. Fire them.

How do the employees of these companies keep on losing laptops?

If it was stolen, then it would say it was stolen.

So this is a case of laptops being left behind in hotels, or taxis, or trains.

These incompetents should be fired, especially when they're holding personal data on their laptops.

I'm sure that BP's IT group has BIOS level passwords and encryption set of course. And that sensitive data is encrypted when being transported. Or maybe they should all be fired too.

Try an exploding tanker in a german harbor

It is ridiculously hard to find in the international news, but here goes: a BP tanker exploded in a german harbor. This after they had touted their horn about their stepped up safety measures.

I can understand why they could do with a diversion in the news...

Why SS numbers?

[EmagGeek]

Why would BP need to collect social security numbers?

Re:Why SS numbers?

[cffrost]

Why would BP need to collect social security numbers?

Maybe so they can try to recoup some of the money they're losing to paying out these claims? I wouldn't put it past 'em. =)

From the desk of Tony

[Combatso]

We're sorry.... Sorry.

T.Hayward

Worst case scenerio

[Zac_G]

I'm always amazed at the communities limited understanding of the media world and how it does its reporting. The media is reporting how BP is treating the issue, not what has actually happened. BP is handling this in a worst case scenario: the laptop has been stolen/lost, the information on the laptop has been compromised, and the individual responsible is maliciously using the claimants information in a mischievous way. They have only confirmed they do not have in their possession a laptop with claims information. Let's also not forget just how often local politicians, lawyers, and claims adjusters have asked for this information on the spot with little regard to the claimants privacy. If BP had the option I imagine they would have this information on servers behind a DMZ with little to no outside access, but we have demanded that they be transparent with everything as quickly as possible (spill cam, reporters on a drill rig, live video feed of their ROVs, daily technical reports during the spill...). I don't know about you but when good 'ol Bobby Jindal asks for claims information I doubt he is wanting to do log shipping of encrypted data base tables. He just wants a damn excel file.

Why is this data on a laptop, again?

[Vrtigo1]

In the age of uniquitous connectivity, why is it that this data is stored locally on a laptop? BP surely has boocoo IT infrastructure, so why didn't they just set up a secure website that their minions could've used to input people's data instead of storing it in Excel on a laptop where it could be lost? Seems to me that it'd be a lot more difficult to lose the data when it's sitting on your SAN which is probably in an access restricted datacenter. Asshats...

WTF IT

[the_hellspawn]

Why would someone store data on a laptop? Connect through a secure link and get your data from a server that can't be lost. Hacked maybe, but not lost. For crying-out-loud; some IT folks are Duh and not WINNING. Storing shit on a laptop is just retarded. Don't care it is retarded. Store it on a server. I do and Duh, WINNING!

I lost my laptop. My dog ate my homework. I was...

[mschaffer]

So, is BP is trying to implement the "I lost my laptop" excuse to keep from paying all of those claims?

What I want to know is: why do people store all of this information on individual laptops?
Things like this have happened so many times before. When will those pinheads learn?

Laptop can be remotely disabled...

[FlipperPA]

...you think this tidbit from the article might have been included in the teaser. Lojack for laptops, encryption and passwords should be required for any company or academic laptop containing sensitive information.

Only one reason

There is only one reason to change authentication passwords periodically:

Limiting the exposure time once an authentication password is compromised.

So it does serve a purpose, but one that only affects you if you are already pwnd.

Lost it in the gulf, a dogfish ate it

Was boating in the gulf. A rogue wave came over the side of the boat. Suddenly the deck was all black and slippery and oily. Slipped on the deck, laptop slipped out of my hands, over the side, into the black, oily, murky depths. Gone forever. Meanwhile, I'm recovering just fine after my 'oil spill'. Whew, glad that one's over.

...a laptop?

[linuxgeek64]

Why do they even store that data on a laptop? That guarantees a disaster.

No server backup??? WFT??

Important information held on a local hard drive??? Yeah, ok.

Well played, BP.

[Scott+Scott]

Who needs a public image when you have gross mishandling to blame? To the yacht races!

Re:I lost my laptop. My dog ate my homework. I was

[cffrost]

What I want to know is: why do people store all of this information on individual laptops?

Two words, mschaffer: Plausible deniability.

You're trying too hard to excuse the corporation.

[ReedYoung]

It is not a person!

And such field agent should download one day's data at a time. If that scenario is not "far-fetched" then that only means that many, many people are too stupid for current technology.

"masked ssn" my ass!

[ReedYoung]

What rdbms doesn't have an automatic unique id generator?

So upload that data daily.

[ReedYoung]

And delete that personally identifiable information from the lappy every evening. What, is this rocket surgery? I thought I was reading "news for nerds about stuff that matters!" Where did all the programmers go?

Yeah, that's good for Napoleon & other dictato

[ReedYoung]

For the rest of us, the need to seem benevolent is probably less important than not getting jerked, defrauded or killed by global corporations which are absolutely, certainly anything but benevolent.

Get thee to a coffeeshop! GO!!

[ReedYoung]

If the data was being managed via internal systems over vpn, that would be better... but that assumes that's reliably possible where these people are working.

Where there is a will, there is a way. BP lacked the will, which is to say, they don't give a fuck.

I cannot forget what I have never known.

[ReedYoung]

Let's also not forget just how often local politicians, lawyers, and claims adjusters have asked for this information on the spot with little regard to the claimants privacy.

That is not something I have ever read about. Please cite a reliable source, if possible.