According to documents obtained by WTOP through the Freedom of Information Act request, between 2002 and 2006, the IRS had 478 laptops either stolen or lost.

Of those, 112 computers contained sensitive data, including personal information, such as social security numbers, for U.S. taxpayers. It is unclear how many people could be at risk of identify theft.  

IRS’ response:

We will be installing an automatic encryption system that will encrypt all information on the hard drives, so that the employee does not specifically need to choose individual files to encrypt. This will start in January. A physical security locking cable is also being provided to all employees with laptops, so that they can physically secure their laptops and help prevent the laptops from being stolen.

Also, the IRS has focused on providing security education, training, and awareness of our employees to ensure they recognize the need to protect sensitive information, and how to use the current encryption capabilities that are available on all IRS computers.

Let’s hope they don’t lose many laptops between now and January, assuming they will get the encryption plan working by then.

It is not fiction – you can securely delete information. However, there are many caveats.

First of all, if you know or have a reason to know that the information in question is or will be involved in litigation – securely deleting (or just deleting) any information that may be needed will adverse your position very negatively. This point cannot be stressed enough.

Second, unless you use tools that overwrite the deleted information multiple times (30, for instance), there is always a pretty good chance that a skilled forensics expert would restore at least some of what you have erased. Anecdotal evidence shows that some government agencies can restore information overwritten many times by using sophisticated magnetic analysis on a particular disk sector. This is probably difficult and expensive to do, but it may be possible.

Third, mind the information that you did not intentionally create. Memory swap files, printer spool files, or Windows hibernation swap files – all of these files contain information that, on its face, resides in memory, but is stored (often unencrypted) on disk. For instance, if you typed a secret document on your computer, printed it, and then discarded the document without saving it, chances are that there is a copy of the document (printer spool file) somewhere on your hard drive that is waiting to be recovered and read. Also, if you use an encryption program and you ‘Hibernate’ your computer, chances are that your encryption password is stored in plain text in the hibernation swap file.

Finally, see #1 again.

A more detailed report can be found here.