Ex-Harrods IT man cleared of stealing company issued laptop The former Harrods IT worker accused of stealing a laptop from the luxury department store in the UK capital has been cleared of theft – but was fined for trying to remove it from the department store's domain. Pardeep Parmar, of Grove Road, Hitchin, Hertfordshire, previously pleaded guilty to causing a computer to perform a …
"The first thing that anyone with a work laptop should be told is - Any data on this device is ours"
Or just say "No personal use whatsoever" from the get-go.
Allowing personal usage without establishing any sort of boundaries can be a real nightmare in situations like this, or where an employee dies in service and there's personal stuff on the device.
"No personal use whatsoever"
It would be possible for someone to have their personal credit card details accessible on a company PC for booking hotels etc on company business. Most hotels that I have booked online recently want an authenticated credit card assurance up front as security - even if you actually pay at reception later.
At my last company small purchases under about £100 were also expected to be handled by the employee and claimed back on expenses with a receipt. Purchase orders were reserved for expensive things as the overheads of raising them was seen as unnecessary expense and delay. Company credit cards were as rare as hens teeth.
"It would be possible for someone to have their personal credit card details accessible on a company PC for booking hotels etc on company business."
That's one category of information I don't have to keep on a PC. It lives in my wallet.
If, however, there's stuff that I think should be kept private it can go into something like Keepass. Even if the disk is encrypted on a company laptop having a separate encrypted file to which the company has no access would have solved the problem. It would also solve the problem of the company backing up the laptop onto their own servers.
It never ceases to amaze me just how many british commentards that post here have the belief that an employment contract can remove your statutory rights as a UK citizen. Seriously I'm sure you guys must be being walked all over by your employers, or you are school age, and watch a lot of american TV shows.
Let's take it slowly so you understand it.
A company has a policy that says "No personal use or data on company resources, or else *(except in an emergency)." This is perfectly legal, and if an employee breaks the policy they quite rightly and legally are able to be disciplined.
What the company cannot say is "if you break this policy, you are entitled to no privacy and we can do what we want with your data". This would be illegal. The right to privacy is enshrined in law. Any personal information the company comes across, even when a written policy was established forbidding it, is still subject to the Data Protection Act, and next year will be subject to the even more stringent GDPR. A company must by law treat personal information with confidence regardless of policy. Law > Employment Contract.
*already established by case law
If you have personal data you want deleted from a company laptop and the laptop is a cheap-ass PoS with spinning rust for storage, just leave a big-ass electromagnet on it for a few hours before tossing it back.
Any company doing IT support correctly would just re-image the laptop from the latest core build and removing any "customisation" the previous owner may have had which could include elevated privileges to internal systems stored in non-core application installs or support documentation.
In any competent IT department, if a computer is returned for whatever reason (employee leaves, gets an upgrade, etc), the first thing the IT department should do is wipe the disk and re-install the OS.
This is standard practice and protects the company as well as both the original holder of the equipment and the next person who gets it.
I would definitely agree that you really shouldn't ever store personal data on a company computer, but it does happen. Wiping the system as standard should mitigate any danger from that, but I can understand the anxiety of this guy if he didn't know that would happen, or didn't trust the IT department.
Spudley: "In any competent IT department, if a computer is returned for whatever reason (employee leaves, gets an upgrade, etc), the first thing the IT department should do is wipe the disk and re-install the OS."
Nope. The first thing they should do is take an image of the disk. Then wipe and reinstall.
The backed up image saved a lot of problems at one company when HMRC came sniffing after some suspicious financial activity. It turns out the former CFO and CEO had been misusing funds and the backups provided evidence of their culpability, meaning HMRC went after them personally rather than the company itself.
In any competent IT department, if a computer is returned for whatever reason (employee leaves, gets an upgrade, etc), the first thing the IT department should do is wipe the disk and re-install the OS.
Policy where I worked was "all computers from terminated employees will be held for 30 day prior to re-imaging and re-issue.". This was "just in case" there were legal issues or personal data which we helped get back to the employee. Usually, most folks were smart enough to email any personal data to their home. We did have our share of "legal issues" so this 30 day hold was wise. Holding the whole computer also helped with "chain of evidence" as an image wasn't considered "original".
Surely he could have just logged in without internet connection and deleted what he needed (or put it on a USB stick etc etc)
He may have been removed from the domain at work but he was using the computer at home, I've never had a system which was rendered a complete brick by being offline
> I've never had a system which was rendered a complete brick by being offline
This was the bit that got me to.
I suppose Harrods could be using advanced security and the laptop has a built in GSM security device, so as part of his departure, IT denies systems access which automatically sends an SMS to all devices on the system registered to him...
"I've never had a system which was rendered a complete brick by being offline"
AD will let you see where a user is logged in, push a logout to that device, and revoke their ability to login. Add a VPN connection so the machine is on the network, and you just prevented the user from getting back into it (with their AD credentials, at least).
Which means Herrod's has a procedure when an employee separates, and they follow it.
>AD will let you see where a user is logged in...
After I posted I remembered one company where the laptop had to be periodically connected to the corporate domain (not sure if it was tied to password expiry or not). Obviously if this happened when working offsite, it meant connecting the laptop to a network (LAN or modem), establishing a VPN and allowing AD to do it's stuff. However, for this to happen you had to be in possession of your company issued security access pin generator... I think also I had to visit an office 1~2 times a year and connect the laptop to the wired LAN and reboot, so that various other AD controlled stuff got updated.
I assume therefore that at some time someone in Harrods IT knew a thing or two about security to set this up and to implement HDD encryption (and BIOS password). Obviously, once such an offline system has decided a user password has expired and the user no longer has access to the corporate network and AD, it is effectively a brick - unless the user performs a motherboard jumper reset, HDD reformat etc.
Otherwise, I suspect the guy simply got the password wrong too many times and Windows barred access. Requiring the laptop to be taken to IT who would use their AD/admin access permissions to re-enable the account...
Either way, it would be interesting to know, just what security measures were in place to brick the laptop.
Obviously not IT competent, Computer Shop workers do not have secret apps/hardware to access laptops. If you cannot login normally the laptop needs to be bootable by usb/cd or HDD to be removable to access the data or to wipe it if encrypted. I may have asked the shopworkers what they would do to access a non removable, non usb/cd bootable laptop but would not leave it with them to tinker with.
Now that you mention it - I prefer to avoid shopping from work, so no Amazon, yes. My personal mail I can access any time through my smartphone, but if I use the laptop, it's a webmail interface, and the browser is always set to permanently incognito browsing; I just need to close it. Social media I just flat out don't do. To be fair though, there IS some personal information on that laptop, considering Dropbox keeps a local copy on everything that ever tries to sync with it. Then again, all of it is encrypted with EncFS, which I manually start and enter the password into whenever needed - soooo... given the chance I'd prefer to wipe that cache and de-auth the sync client but ultimately I don't really care who looks at that gibberish, either from work or from the cloud.
People can't say "He shouldn't of had personal stuff on the laptop". Everyone does it eventually. You'll end up with some personal documents on there at some point. However, if he's an "IT worker" surely he should know that upon returning the device it would of been wiped, so claiming he was doing it because he wanted the data wiped seems a bit of an odd argument. However, it's possible he knew someone in the department would snoop. But the next question is, why did he take it to a computer shop? Was he not an IT engineer then? As if he knew what he was doing he'd have been able to get into it himself, then no one would of know and no court case would of happened.
Seems odd, unless he was just a manager for IT but wasn't really IT savvy (I know some IT managers who know fuck all about IT).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
