Blood Transfusion Service stolen laptop

Some family members were greeted this morning with letters from the Irish Blood Transfusion Service. Not me though as I haven’t been able to donate for a few years.

The letter was a notification of a laptop belonging to the IBTS had been stolen in New York recently and that records of some of my family members were stored on it.

The letter states that the data stored on the laptop comprises of name, address, date of birth and donation record. They further state that the laptop was in New York for a “software upgrade to provide better service to donors, patients and the public service.”

Then it goes on to mention security:

We are always aware of the potential for data loss, and took all measures to ensure that state-of-the-art data encryption was used. The records were on a CD that was encrypted with a 256 bit encryption key. Those records were transferred to a laptop and re-encrypted with a 256 bit encryption key. This represents the highest level of security available.

I would like to assure you that the possibility of anyone breaking this encryption/ security system is extremely remote. When you consider that the normal PIN we all use to access bank machines etc is a four character code the code on this laptop is thirth five characters. To our knowledge there has never been a report of a successful attack against a 256 bit encryption key.

Interesting stuff but is it believable? I have visions of a Microsoft Access database being copied onto a CD and then on to the laptop in question. Or maybe even an Excel spreadsheet but that is highly unlikely as it seems that the highest encryption level for Microsoft Office is 128 bit and almost as easy to crack as an egg.

In the letter it is the mention of re-encryption that has me a little confused. If the data on the CD had already been encrypted then why do so again on the laptop? I presume they mean that they decrypted the data on the CD, transferred (transfused?) it to the laptop and encrypted it using a different key.

Anyway, given that the person that had the laptop was mugged, chances are that it was done by someone looking to sell it on quickly and they were not specifically targeted. Still there is a small potential for identity theft but most of the information that the IBTS claim was on it is easily accessible through other means.

Now I wonder what software they were using?

Leave a comment | Trackback
Feb 25th, 2008 | Posted in Family, Health, News, Personal, Security
Tags:
  1. Fitz
    Reply | Quote
    Feb 25th, 2008 at 23:49 | #1

    I received that letter today and am extremely concerned and angry.

  2. Robert
    Reply | Quote
    Feb 26th, 2008 at 00:56 | #2

    Fitz,

    I can understand your concern and anger. Actually that is an understatement, who would have thought that by donating blood in Ireland that ones personal information would end up in America?

    But in thinking: every I.T. project I have been involved in over the last 12 years involved made up data. Never once did we use data that was genuine (live) until it was tested and time for the migration.

    I hope they are being sincere in their claims of data encryption. As I mentioned in my post, it is highly unlikely that the data might be used.

    Chances are that the laptop in question has been sold for a quick buck. But it does raise the question of how secure the information that we willingly submit to various government departments/ 3rd party compaines etc. really is.

    If that laptop belonged to the Revenue Commissioners for instance then it would be a whole different story.

  3. brian
    Reply | Quote
    Mar 6th, 2008 at 20:51 | #3

    So many questions!…………

    Why wasn’t any personal information taken off the laptop before it left the office for repairs?

    Why did the laptop go to america for upgrading?

    What could a criminal do with the information on the computer?

    brian
    http://www.scamemail.co.uk

  4. Robert
    Reply | Quote
    Mar 7th, 2008 at 11:01 | #4

    All good points Brian. Idon’t think that we will ever know though.

  5. Ger
    Reply | Quote
    Apr 1st, 2008 at 18:19 | #5

    Fuming, no less to have received this letter stating my details on this laptop. Why could they not have had a sample database for this type of upgraading???Who is to say that the IBTS don’t have more details on the laptop concerning us??Have we proof that they are telling the truth

  6. Robert
    Reply | Quote
    Apr 1st, 2008 at 18:22 | #6

    Hi Ger,

    I think it would have made too much sense to use a sample datatabse with sample data instead of real data.

    But of course, you know what they say. The sad thing about common sense is that it’s not too common.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
RSS for comments on this post

Bad Behavior has blocked 979 access attempts in the last 7 days.

22 queries. 0.500 seconds.