According to the police, intruders broke in through a window and then forced a door to get in through the back of the building. Early reports of the incident had claimed that the office's security system may have been disabled over the Easter break.
The office's executive manager, Paul Tobin, told ZDNet Australia the intruders smashed through a plasterboard wall to gain access to their level, after coming in through a floor to ceiling window at the rear of the building.
"If they could have broken in through the front door it was pretty stupid of them to go and break a large floor-to-ceiling window," he said.
A police statement said there was nothing to suggest that the laptops were stolen to gain access to the files on them. Tobin says there's very little chance that sensitive data was on stored on the systems anyway--all of that is kept on file servers, he said.
"They've taken our brand new laptops... they just took what they could carry. There were more [laptops] there. There were no files disturbed or anything like that," he added.
Security consultant Daniel Lewkovitz says that the incident highlights the need for better physical security in corporate and government environments.
"Laptop theft is a really big problem. The truth is that most of the laptops are stolen for their cash value and not the data on them... but more often than not the value of the information on them may outweigh the cost of the laptop itself," he told ZDNet Australia.
Stolen laptops can provide intruders with a way in to corporate networks too, if passwords and connection settings have been left on them. Lewkovitz says more strict physical security regimes are required.
"Cable locks are not enough... they will only stop the opportunist thief at best. Standard lockable draws are also easily broken in to, I would recommend a safe or vault similar to the B class cabinets used for document storage," he said.
According to Lewkovitz, even e-mail can be regarded as sensitive data. He also says that administrators shouldn't rely on BIOS passwords or authentication measures such as a standard login, as physical access will often render these actions useless.
