A scary encounter with an Army recruiter - data on a laptop

I was flying back to Houston from San Antonio on Tuesday, and I was sitting next to a Command Sergeant Major of our great United States Army. He was a recruiter (yes, I got bad chills up my spine when he told me that), and we traded a few Army stories from the past. He asked me about my current job, and I told him that I was an information security professional (yes, he asked me if I could hack stuff).

So as the flight went on, he pulled out his laptop, pulled out his military ID, stuck it in the card reader in his laptop (it doubled as a smart card), and then logged in. I was impressed with the security and the ID card (they've come a long way since I was in), and I told him so. I asked him if the laptops were encrypted, and he said they all had been encrypted since the VA incident a while back (I know he can't really know that ALL had been encrypted, but he was in charge of over 70 recruiting offices across the country, so I am sure he had a decent knowledge of what was going on).

As we flew on, I snuck a peak over at what he was looking at. Lo and behold, I saw a nice big list of names and SSN's, along with some other military specific data like each person's MOS (stands for military occupational specialty - basically their job) and the like. At first, I was floored. I mean, here was this list right there for me to see. And there were literally THOUSANDS of names and SSN's, plus other identifiable information (I wonder how many members of the military use their MOS for their password or a reminder of their password). I could have copied anything down that I wanted to without him knowing it. And just the plain and simple fact that this list was on a laptop really bothered me.

But as I thought more about it, my tangential mind started going down two divergent paths at the same time. One path was scared that this guy had so much critical data on his hard drive and he had that data opened up in a situation where anyone could see it. And it also made me wonder how many laptops held such data out there right now, and how in the h-e-double-hockey-sticks that the Army and the VA had not had a huge incident before last year.

But the other path my mind took was this: notwithstanding the Command Sergeant Major's bad judgment by opening this file on the plane, and even knowing that there was all this data on a laptop that not too long was not encrypted, this was an example of an organization that seems to have reacted to a security incident in a manner that should impress most security professionals. I couldn't help but be struck that although the VA had really, really screwed up a while back, someone learned their lesson and had taken some steps to make things better.

Would I be more comfortable if all that data was not on that laptop? Of course. But as I have said before, business is the driver behind IT. IT is not the driver behind business. If the Army has deemed it necessary to have this type of data on the laptop in order to facilitate recruiting, then at least they are taking steps to secure that data. It is a shame that the incident had to happen to make them take these steps, but at least they did it.