A financial services company issued laptops to all its sales staff in order to reduce costs and improve compliance. This allowed sales staff to work from home thus saving on office costs, and software on the laptops encouraged sales staff to enter new business in a standardised and compliant fashion. Due to several high profile events in the press involving lost customer data, management issued an edict that all company laptops were to be encrypted within one month – many were known to contain significant amounts of sensitive client data.
Unfortunately, a temporary member of staff who had access to the company’s laptop encryption records stole several unencrypted laptops which were being stored in the storage room, and was aware that unencrypted laptops with financial data have a high value on the black market. Some of these laptops contained thousands of sensitive client records. The matter reached the press and severe reputational damage followed.
The laptop encryption records were kept on a web page open to all members of that department, and although the storage room had a passcode protected lock, members of the department did not hide this 4 digit code when they entered it and the lock was in full view of anyone at the nearby drinks machine. Six unencrypted laptops were stolen containing sensitive financial details of over 15,000 customers.
Company sales plummeted for several weeks following the adverse publicity and regulatory fines were imposed, which, although modest, further worsened the reputational damage. The company wrote to all the affected customers which further impacted reputation. The sensitive data was not used by the thief so no direct losses were incurred.