IE 11 is not supported. For an optimal experience visit our site on another browser.

For sale by public auction -- juicy laptop secrets

Lost or stolen laptops containing sensitive financial details and corporate secrets can be bought up at auctions, a security firm revealed on Wednesday.
/ Source: Reuters

Laptops containing sensitive financial details and all manner of corporate secrets can be snapped up at auctions for a pittance, a security firm revealed on Wednesday.

Stockholm-based Pointsec Mobile Technologies said it bought 100 laptop computers from a host of Internet and public auctions over the past two months.

The exercise intended to demonstrate that the scores of lost or stolen laptops that wind up at auction every day have hard drives with little or no security, giving identity thieves and fraudsters easy access to lucrative data.

What it did not expect to find was a cache of corporate laptops too that were as easy to crack as grandma's PC.

70 of 100 laptops accessed
In all, the firm's technicians were able to pull sensitive details from 70 of the 100 machines it bought.

In one case, it obtained a particularly vulnerable hard drive from online auction site eBay that apparently once belonged to one of Europe's largest insurance companies.

On the hard drive were current details of customers' pension plans, payroll records, personnel details, login codes and administration passwords for the company's Intranet site. Home addresses, telephone numbers and dates of birth of customers were also listed in 77 Microsoft Excel files, the company said.

"Even when companies or individuals believe they have wiped the hard drive clean, it is blatantly clear how easy it is to retrieve sensitive information from them," said Pointsec CEO Peter Larsson.

The clean wipe?
Companies usually go to the trouble of wiping a computer hard drive of any sensitive details before discarding them, but even that is not foolproof, Larsson said.

A bigger problem is laptops lost on the train or the airport, which are often auctioned to the public if the owners don't claim them.

From laptops it acquired at an auction from Britain's Gatwick Airport, Pointsec used generic password recovery software -- many free varieties are on the Internet -- to access information on one in three of them.

It scored a similar rate of success from laptops acquired at auction in the United States, Germany and Sweden.

In Sweden, the first laptop Pointsec bought at auction contained information about a large food manufacturer and its customers, plus a PowerPoint presentation about a product line.

"Pointsec's research demonstrates just how easy it is to access information which is not adequately protected," said Tony Neate of Britain's National Hi-Tech Crime Squad.

"Encryption and other security measures are vital to ensure that security is not compromised -- something as simple as a hard disk drive password can deter the opportunist."