# Bank of Ireland laptop theft: Is XP username and password safe?



## Whiskey (22 Apr 2008)

On the news today was information about the theft of some bank of Ireland laptops. Some of the laptops had sensitive information.

It doesn't say what operating system  the laptops used.

If it is XP, and a login is required to run windows, then the people who stole the laptops would not be able to access any data on the machine.

Am I correct ?

I've got an XP work laptop, I can't access windows without a username and password. I must log on to a domain, or as administrator to my own machine. 

My question is, is it possible to access information on the hard drive of an XP laptop which requires the user to log on to the system ?


----------



## Towger (22 Apr 2008)

*Re: Bank of Ireland laptop theft*

Yes, it is easy to get around the password. The data must be encrypted on the disk, which it was not. BTW it only takes a couple of mouse clicks, to enable the encryption.


----------



## jhegarty (22 Apr 2008)

*Re: Bank of Ireland laptop theft*

It may take a whole 5 minutes to bypass the windows login password (if I had a cup of coffee in the middle).....


----------



## Guest120 (22 Apr 2008)

*Re: Bank of Ireland laptop theft*

For anyone who's interested these are the effect branches effected


> The information on the computers includes names, addresses, bank account details and medical records of customers at branches in Drogheda, Dunleer, Bagnelstown, Court Place Carlow, Stephens Green, Tallaght and Montrose.


----------



## Whiskey (22 Apr 2008)

*Re: Bank of Ireland laptop theft*



jhegarty said:


> It may take a whole 5 minutes to bypass the windows login password (if I had a cup of coffee in the middle).....


 
May I ask how.

I've got an XP laptop, and if I forget my username and password, then I can't enter windows. 
It's says "incorrect username and password" ! So I'd need to call my company helpdesk, and they would reset it !!

Are you saying there is a "backdoor" username and password which works with all XP systems ?? 

I always was of the belief that if my laptop were stolen, nobody could enter into windows.......I'm obviously wrong.......hopefully someone will enlighten us as to what possible techniques might be used to get data from the hard drive of a password protected xp system.


----------



## ubiquitous (22 Apr 2008)

*Re: Bank of Ireland laptop theft*

I think that companies and the authorities should suppress news of laptop thefts involving loss of confidential data. Media reports which emphasise the potential risks of identity theft etc merely incentivise thieves to exploit these risks by passing stolen laptops to specialist criminals, who might hope to profit from misusing the data on the laptops. The type who happens to "find" laptops every so often and sell them on for €20 or €30 will now be motivated to up the ante.


----------



## Guest120 (22 Apr 2008)

*Re: Bank of Ireland laptop theft*



Whiskey said:


> May I ask how.


Boot using one of the many bootable LINUX os and you'll be able to see the hard disk mounted and will have full access to the data on the disk.

Boot takes around 2 minutes.

There are many ways to access the disk, reinstalling XP in a new location will give you the data also but will take a little longer.


----------



## jhegarty (22 Apr 2008)

*Re: Bank of Ireland laptop theft*



Bluetonic said:


> Boot using one of the many bootable LINUX os and you'll be able to see the hard disk mounted and will have full access to the data on the disk.
> 
> Boot takes around 2 minutes.
> 
> There are many ways to access the disk.



As Bluetonic said , linux boot disk.... don't really want to go into more detail than that


----------



## askalot (22 Apr 2008)

*Re: Bank of Ireland laptop theft*



ubiquitous said:


> I think that companies and the authorities should suppress news of laptop thefts involving loss of confidential data.



Seems like BOI think the same way as it took them nearly a year to report the theft to the Data Protection Commissioner.

It beggers belief that BOI don't encrypt all data held on laptops, this doesn't require hindsight; it is basis security. Do they still have an IT department or did they manage to misplace it during the outsourcing! 

Though I suppose if they don't allow encryption on their laptops it's harder for the workers to hide their porn which is a purely executive perk within BOI!


----------



## Towger (22 Apr 2008)

*Re: Bank of Ireland laptop theft*



ubiquitous said:


> I think that companies and the authorities should suppress news of laptop thefts involving loss of confidential data.


 
I have heard of other large 'loses' on the grape vine which have never made it into the public domain. It must be the Montrose connection which got it into the news 

Askalot,

AFAIK there are no PC staff left in BOI, but I assume they must have kept on some of the key mainframe staff.!!!


----------



## dereko1969 (22 Apr 2008)

*Re: Bank of Ireland laptop theft*

The governor of the Bank of Ireland has said he is “horrified” by the theft of four laptops containing confidential information of 10,000 customers.

I'm horrifed that after the first theft in June that no encryption was done on the other laptops! it's all very well for BOI to state they are monitoring these peoples accounts for anything untoward but what about other financial institutions? with all the detail on the laptops the thiefs could be applying for quite a number of credit cards from other banks. someone in BOI should be sacked for this but they won't.


----------



## rsob (22 Apr 2008)

*Re: Bank of Ireland laptop theft*

Just makes the new entrants to the market look better.  Maybe its a good thing that this has come out.  

I'd say that BOI is no better or worse than PSB or AIB, they are used to having it easy.

I'm hoping BOI get nailed for this more power to the Data Commissioner.

http://www.dataprotection.ie/docs/Home/4.htm



> Statement on Investigation into Theft of Personal Data on BOI Laptops
> The Data Protection Commissioner wishes to confirm that his Office is investigating the circumstances surrounding the theft of a substantial amount of personal data on 4 Bank of Ireland laptops over the past year.
> This matter was reported to the Commissioner's Office on Friday morning.  On foot of that contact, a more detailed report has been sought from Bank of Ireland into the exact circumstances surrounding the loss of the personal data.
> The investigation will focus on the justification for the personal data, including sensitive medical data in some cases, being placed on the laptops in the first place, the security arrangements in place and the exact circumstances which led to the delay in the reporting of this matter internally within the Bank of Ireland to the appropriate personnel for the taking of further action.  Consideration will then be given as to what further action will be sought from Bank of Ireland to ensure that the obligations contained in the Data Protection Acts in this area are met.  The Data Protection Commissioner and the  Financial Regulator are cooperating on this matter and we will refer any relevant issues to the Financial Regulator.
> On a broader level, this issue serves to highlight once again the absolute necessity for all organisations in the public and private sector to take their data protection responsibilities seriously.   In particular, all organisations should be assessing immediately the necessity for storing personal data on laptops.  If a need is found, appropriate security measures such as encryption should be put in place immediately.


----------



## dewdrop (22 Apr 2008)

*Re: Bank of Ireland laptop theft*

it would seem that when the laptops were stolen higher authority was not advised...i think the phrase used was that it was not escalated. this begs the question if the parties concerned had to seek a new laptop why was it not discovered then. the fact that the thefts occured over a wide area might suggest it was not the first time. again i dont think  bank of ireland has confirmed that it did not happen before.


----------



## rmelly (22 Apr 2008)

*Re: Bank of Ireland laptop theft*



rsob said:


> Just makes the new entrants to the market look better.


 
sure does - http://www.guardian.co.uk/money/2007/mar/27/business.scamsandfraud


----------



## cryos (22 Apr 2008)

*Re: Bank of Ireland laptop theft*



askalot said:


> Seems like BOI think the same way as it took them nearly a year to report the theft to the Data Protection Commissioner.
> 
> It beggers belief that BOI don't encrypt all data held on laptops, this doesn't require hindsight; it is basis security. Do they still have an IT department or did they manage to misplace it during the outsourcing!
> 
> Though I suppose if they don't allow encryption on their laptops it's harder for the workers to hide their porn which is a purely executive perk within BOI!



Bank of Ireland dont have an IT Department for Infrastructure and Onsite Services, this is managed by HP.

I cant comment on the rest.


----------



## Complainer (25 Apr 2008)

ubiquitous said:


> I think that companies and the authorities should suppress news of laptop thefts involving loss of confidential data. Media reports which emphasise the potential risks of identity theft etc merely incentivise thieves to exploit these risks by passing stolen laptops to specialist criminals, who might hope to profit from misusing the data on the laptops. The type who happens to "find" laptops every so often and sell them on for €20 or €30 will now be motivated to up the ante.



I see your point, but there is a further benefit of widely publicising these incidents, in terms of making other IT managers/business owners/directors very conscious of the need to put appropriate security procedures in place.


----------



## z109 (25 Apr 2008)

*Re: Bank of Ireland laptop theft*



ubiquitous said:


> I think that companies and the authorities should suppress news of laptop thefts involving loss of confidential data. Media reports which emphasise the potential risks of identity theft etc merely incentivise thieves to exploit these risks by passing stolen laptops to specialist criminals, who might hope to profit from misusing the data on the laptops. The type who happens to "find" laptops every so often and sell them on for €20 or €30 will now be motivated to up the ante.


I agree. It should also be kept secret that there is money in banks and that vans are used to transit the cash. This would stop robbers from robbing them. Indeed, we could go a little further and keep the internet a secret between just you and me. That would stop all those phishing attacks and stock boilerroom scams.

Why not stop there? Maybe we should have the state take over the media to prevent them giving out information that might be useful to criminals?


----------



## aircobra19 (25 Apr 2008)

Security through ignorance/obscurity is no security.


----------



## 2002bcl (28 Apr 2008)

Would somebody ask the b of I did it pay e4,000 
compensation to one customer for one incident of data exposure in 2005?

The Sunday Trib had it buried in an article page 2 business section.

I'm sure the 31,000 customers would be most interested in the response.


----------



## phil1147 (28 Apr 2008)

Whiskey said:


> ...
> 
> If it is XP, and a login is required to run windows, then the people who stole the laptops would not be able to access any data on the machine.
> 
> ...


 
How do we know your not the one with the laptops? Im a member of the BOI and i just hope that they had a much more rigid security measure in place rather than XP. Have they no responsibilities in these large bulti billion euro enterprises. They should pump some of that money into protecting its members...shame on them.


----------

