US STOLEN COMPUTERS AND CONTRADICTORY STATEMENTS http://www.computerworld.com/blogs/node/2731

Contradictory Statments
By Martin McKeay on Fri, 06/09/2006 - 1:45pm

Several days ago it was revealed that thieves had stolen equipment from the Buckeye Community Health Plan containing over 72,000 customer records. A total of four computers were stolen, containing all the standard information, such as Social Security numbers, address, etc. They also contained the health records of at least 13,000 customers. The computers were protected by passwords, which probably means they were part of a Windows domain, but the records themselves were not password protected. Because the thieves have physical access to thecomputer hard drives, if they can't break that in 30 minutes or less, I'd be surprised. And since it wasn't mentioned, the records probably weren't protected by any form of encryption.

So far, this is a fairly common incident by today's standards. But when you read farther down in the article, there are two statements that really jar me when taken together. The first -- "...the company believes the thieves wanted thecomputers , not the information they contained" -- has become part of the PR lexicon surrounding these types of incidents. But when you take it with "...it was obviously someone that had access to the facility", it sends chills down my spine.

This can't be painted as a case of the thieves not knowing what they had stolen. If this was someone who had access to the facility, they knew what they were going after. They didn't choose the system they stole at random or because of opportunity. They went in after specific systems, took them and got out. Whether or not they were actually after the data on those systems is up to debate. The fact that they knew the building and what they were after makes it much more likely that they could have been after the information on the systems, not the systems themselves. And if they were after the data, then there are 72,000 people who are going to have their identitystolen in the very near future.

We already know thieves are targeting laptops in San Francisco's Mission District. The theory is that the thieves are just looking for easily accessible laptops. But what if they aren't? What if they really are looking for the data contained on thecomputer? I've never sold a stolen computer , but I can't imagine a thief could get much more than $500 for the system. I've got to think that 72,000 verified identities are worth more than $500, plus the thieves can still sell the hardware once they've recovered the information.

Businesses have to stop making the assumption that no one's going to look at the data on a stolen system. Hard drives are showing up all the time at flea markets and garage sales; people are buying these drives and looking at the data contained on them. Why would anyone assume the same isn't happening with laptops. After all, if I was of a malicious mindset, that's what I'd be doing