Not sure how I missed this Network World story last week before writing about AT&T's stolen-laptop fiasco, which you may recall centered prominently on the fact that personal info on the machine was unencrypted: Turns out that only two days earlier AT&T had announced a new service ... an encryption service "designed to help companies prevent data loss."
Technology companies are constantly bragging about "eating their own dog food," a colorful euphemism for deploying to their employees first that which they will ask customers to buy. Some companies don't do it enough, apparently.
Granted, the laptop theft itself occurred May 15, but one would like to think that that AT&T's internal IT department could have gotten its hands on the goods in time to prevent much of the collateral damage -- if not the actual theft -- that is now causing the company such grief.
Instead, we hear this kind of thing from an AT&T manager who was victimized and told me: "It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information."
And this from a Q&A issued by AT&T to employees:
Q: Was it encrypted? If not, why not?
A: It was not encrypted, but the laptop was password protected. AT&T is currently in the process of encrypting such systems.
Other major technology companies appear to have gotten a jump on that process, witness IBM's announcement in January that it would be rolling out laptop encryption capabilities from PGP to 355,000 employees. EMC's chief security officer told us earlier this year that his company encrypts every laptop.
You'd expect as much from IBM and EMC given the extent to which those companies are involved in IT security.
And you might expect as much from a service provider rolling out an encryption service.
Of course, AT&T may be able to look on a bright side here: Now its marketers can call on potential buyers of its new encryption offering and say to them, "Hey, don't let what happened to us happen to you." <!--stopindex-->
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Amazon.com is down ... really down.
Can early tornado warnings create Darwin Award winners?
The REAL sticking point between Microsoft and Yahoo!
Worst of the lot for two years running: PCMall and PCConnection.
Times breaks out xkcd-to-English translator.
This Year's 25 Geekiest 25th Anniversaries.
Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.
Advertisement: |
The Leader in Network Knowledge
Get a load of this...
Not only can AT&T NOT practice what it preaches on encryption, but due to outsourcing they can't even properly quote retirement benefits.
http://daily-journal.com/archives/dj/display.php?id=421840
Looks like litigation abounds from various angles for employees being pushed out the door.
A little late, but...
The following is an official communication sent to employees this morning.
--------
Encryption software for AT&T laptops and desktops
As part of the ongoing efforts to protect Sensitive Personal Information (SPI), the company is deploying encryption software, Pointsec Full Disk Encryption, to all company laptop and desktop computers. The installation of Pointsec Full Disk Encryption software is mandatory. Most laptop users will receive an IT Desktop automated Systems Management Server (SMS) installation during the next 6 to 8 weeks. SMS is the standard tool AT&T uses for sending application and software updates to Personal Computers. Desktops will be updated later this year. Non-IT supported devices are being cared for by local support teams working with the Chief Security Office (CSO).
Additional information on the Pointsec Full Disk Encryption process can be found at http://dataprotection.cso.att.com/HTML/techsol-new.html.
Thank you for your immediate attention and support of this effort.
@ Response to official communication:Pointsec encryption
That's fantastic that the company has decided to practice what they preach. But I personally do not think its good enough; it comes down to properly training personal and controlling systems. I cannot go into details but when I was in a Management capacity at AT&T I brought up many blatant wholes in their systems security. On accident, I even received the 'President's report' in my email box every morning detailing all of the companies clients and their current relationship. Since I am an ethical hacker and security professional, when I left the organization I did not take this information with me. But think of the average employee or user, who would not THINK twice of taking the companies entire regional report. Hmmm... Really makes you wonder?