Slashdot Mirror

← Back to Stories (view on slashdot.org)

BP Loses Laptop With Oil-Spill Claimants' Personal Info

Posted by timothy on from the why-cry-over-spilt-milk-oil-and-data? dept.

Oxford_Comma_Lover writes "CNN Reports that BP lost a laptop with the name, address, DOB, and SSNs of everyone who filed claims related to the big oil spill last year. In other words, everyone asking for money from them based on the spill just got their private info misplaced. There has been no allegation of bad faith."

16 of 137 comments (clear)

  1. oh, by lolololol · · Score: 3, Funny

    How convenient...

    1. Re:oh, by PsychoSlashDot · · Score: 5, Insightful

      How about an additional answer: consider well what data you carry on a mobile device.

      I have serious difficulty figuring out what scenario was in play that required this particular data to be on a laptop in the first place. Some mobile sales guy needed the data to plug in at a hotel conference room and make a presentation? Some jet-setting bigwig needed to massage the data and do some data-mining while on a trans-oceanic flight?

      Even if the laptop's user was tasked with "visit each of these people individually and tell them 'no' in plain English", the data should have been partial and redacted.

      Sorry, but corporations - like the human beings they're comprised of - put data on theft-prone devices that shouldn't be there in the first place. Encrypted or not.

      --
      "Oh no... he found the .sig setting."
    2. Re:oh, by fuzzyfuzzyfungus · · Score: 3, Informative

      You sound like you were raised by Steve Ballmer and rocked to sleep each night by a loving marketing brochure. Lay it on a bit thicker, will you?

      That said, disk encryption(almost certainly full disk; because you Do Not Want to have to puzzle out all the possible locations that a modern OS and suite of common programs may stash temporary files, caches, etc.) is more or less a must for sensitive information that leaves the site. It reduces the hazards of sloppy disposal even for desktops that are only supposed to leave the building at EOL.

      You can get disks that do it in hardware, there are a variety of software options; but it is pretty much the bare minimum of responsible handling of sensitive data. Even better, of course, is never actually having the data on the device in the first place. With the comparatively low cost of broad internet coverage today, forcing people working on really sensitive stuff to do so only in a terminal session that actually lives on a nice cozy server back in your locked cage, with only pictures and input device events going back and forth over the (SSL secured) wire is fairly practical and means that even a badly rooted client is limited to some screengrabs and a stolen client gets nothing but a stock OS with one of the terminal clients installed.

    3. Re:oh, by mwvdlee · · Score: 5, Insightful

      Never attribute to malice that which is adequately explained by stupidity.

      With such enormous levels of stupidity, the entire company should just be shut down and the entire management thrown into a mental hospital.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  2. SSN? by innocent_white_lamb · · Score: 3, Insightful

    Why do they need your SSN to process a damages claim?

    --
    If you're a zombie and you know it, bite your friend!
    1. Re:SSN? by nedlohs · · Score: 3, Informative

      For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).

      Other types aren't but that doesn't mean they don't report them to the IRS anyway.

    2. Re:SSN? by vlm · · Score: 3, Interesting

      For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).

      The problem is tax evasion. There's a million "bubba gump shrimp boats" down there, that "on paper" never make more than a couple K of taxable income per year. But under the table they were absolutely raking it in. Cash sales to restaurants. Cash sales at the pier to brokers. Cash sales to general public and/or local fisherman whom happen to be at the pier. The only guy in LA with more cash than a dealer is a fishing boat owner. Now with the spill, there is a huge dilemma of how much money they should get from B.P., what they actually made, or what they reported to the IRS.

      I'm told by relatives in LA that the IRS takes people down because they are so dumb that they buy diesel for their boat on a credit card, so its easily tracked, and they spend more money JUST ON DIESEL than they report as gross income to the IRS. Theres a whole folklore as to which marina cooperates with the feds and which marinas take cash for fuel, and how its better to buy diesel at a "gas" station for cash, pay the diesel road tax, and pour it into your boat, than to get busted, apparently offroad has a dye added so you can't burn it onroad, and boat owners buy the dye to make it look like they're burning marina diesel instead of truck diesel.

      That gives some idea of how bad the tax evasion is down there. I would not be surprised if this is all a show, and the laptop mysteriously is found in the local IRS office.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  3. Bad Faith... by aralin · · Score: 4, Interesting

    Any sufficiently big level of stupidity is indistinguishable from malice :)

    Actually it is better for you to assume malice than stupidity, because if you go after a fool, he kinda sorta deserved it anyway, if you think a malicious enemy is stupid, you are gonna pay twice for being fool yourself. Game theory in action. :)

    --
    If programs would be read like poetry, most programmers would be Vogons.
  4. Huh? by cultiv8 · · Score: 4, Insightful

    Was it not encrypted? How long after it was "discovered" missing was it remotely disabled? Were they able to wipe it? Why do you keep this type of data on a personal laptop? Seriously BP, you guys make a lot of cash, care to tell us how much of this is going into your IT infrastructure to prevent this from happening?

    --
    sysadmins and parents of newborns get the same amount of sleep.
    1. Re:Huh? by Yo+Grark · · Score: 4, Insightful

      Oh, IT told them how to securely store the data on the laptop. Him being at the executive level, promptly ignored IT directives because it was "too complicated".

      I'm in a large organization, it's INCREDIBLE what hoops IT makes little ol me jump through to do things on my laptop but Executives routinely able to do and get the most insane stuff happening on their laptop. Autologin because they keep forgetting their passwords? No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....you have ANY idea how fricken hard it is to keep track of not only the main login but all the subsystems we use?

      Oh, what's that? the exec has autologin with roboform installed? And this is allowed HOW? Oh right, they're the execs.

      - Yo Grark

      --
      Canadian Bred with American Buttering
    2. Re:Huh? by PolygamousRanchKid+ · · Score: 4, Insightful

      No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....

      I read an editorial a long time ago in the Wall Street Journal, written by a security consultant. The executive had three secretaries working for him, and they had to use the PCs from each other. The executive proudly stated that the passwords needed to be changed every week!

      The consultant said that no one could deal with a different password every week. He did a MacGuyver, and used a pocket knife to open the drawers in one of the secretary's desk. There were the passwords, all written down and stored in the top drawer.

      The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    3. Re:Huh? by vlm · · Score: 3, Informative

      The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

      The worst part of your story is the actual failure mode is failure to understand the difference between encryption and authentication.

      You're "supposed" to share encryption keys to transfer data, and you've got a huge known plaintext problem with encryption. So you have to change keys / passwords every week or whatever.

      In comparison, the only person that knows your authentication password is one human. The computer, if done correctly, only knows a salted hash. Changing passwords is cargo cult science, it pointless. Its applying a solution from one problem to a completely unrelated problem. And it makes it worse by making password changing and resetting common and trivialized (in addition to making human management of passwords so difficult that they subvert the system as per your report). Finally it feeds illogic and stupidity, in that good security can be a PITA, therefore anything that is a PITA must be good security, right, and the more of a PITA it is the better the security must be?

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    4. Re:Huh? by vlm · · Score: 2

      "Password Protection" on a laptop is like putting up a forty-foot high steel ...

      ... blow-out preventer on a well, and then not keeping its batteries fully charged?

      Just trying to put it in terms B.P. can easily understand given their recent history...

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  5. speaking of BP... by magarity · · Score: 3, Interesting

    There hasn't been much coverage lately of how the independent engineering team decided the blowout prevention valve's malfunction was to blame and not some active corporate malfeasance after all. On the other hand, there also hasn't been much coverage of how BP owns a lot of the oil facilities in Libya that the US military is now busy defending.

  6. It seems to be just a loss by pankajmay · · Score: 2

    It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.

    Shit happens! Seems like they are doing appropriate damage control (by offering free credit monitoring to affected people). And hopefully, as soon as it comes online if it gets turned on by a novice finder/stealer, it will be wiped/locked by the company's software agent.

    Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary. It should be treated like any other company laptop loss, except in this case it had a copy of some rather news-worthy data.

  7. "Bad faith" by rhizome · · Score: 3, Insightful

    The bad faith isn't in losing the laptop, it's in the BP policy allowing workers to have this information on laptops that can be lost.

    --
    When I was a kid, we only had one Darth.