Backup tapes are backdoor for ID thieves

Tales from the encrypt

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Large companies are reconsidering their security and backup policies after a handful of financial and information-technology companies have admitted that tapes holding unencrypted customer data have gone missing.

Last week, trading firm Ameritrade acknowledged that the company that handles its backup data had lost a tape containing information on about 200,000 customers. The financial firm is now revising its backup policies and, in the interim, has halted all movement of backup tapes, a spokesperson said this week.

Iron Mountain, a company that handles large corporations' data storage, also acknowledged that it had lost track of four sets of customer backup tapes since the beginning of this year. While the company points out such incidents are a tiny fraction of its nearly five million pick-ups and deliveries done annually, its top executive has called on clients to revamp their policies and start encrypting critical data.

"It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible," Richard Reese, chairman and CEO of the Boston-based data protection service, said in a statement issued last week. "Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."

The reconsideration of backup policies comes as the financial industry is recovering from several high-profile data leaks due to lost or stolen tapes. Bank of America told government officials in February that the company had lost a tape containing account information on a large number of government credit-card holders. A representative of Bank of America could not be reached for comment.

It's unknown whether any of the lost tapes resulted in account compromises.

"We don't believe that any foul play was involved," said Donna Kush, spokeswoman for Ameritrade. "We were able to recover three (of four) tapes in (our provider's) facility. We think the fourth was lost or destroyed within the facility."

Even without evidence of theft, the lack of encryption is disturbing, if entirely expected, said Jon Oltsik, senior research analyst for the Enterprise Strategy Group. The analyst firm polled almost 400 companies and found that, despite renewed focus on securing customer data, more than 60 per cent of the companies do not encrypt any of their backup data, and only seven per cent actually encrypt all their backup data.

The financial industry does not set best practices in this case either, Oltsik found. Two-thirds of the financial firms polled by ESG never encrypted the data that they were backing up. The majority of larger firms also failed to encrypt their backup data, with about 56 percent of companies with revenues greater than $5 billion never having encrypted their data before putting it on tape.

Online backup services that fail to encrypt information could represent similar security risks as does any information stored on a hard drive that can easily be stolen, Oltsik said, pointing to a recent rash of stolen laptops that contained medical information. The high-profile breaches have executives asking questions about their back up policies and encryption policies.

"Two years ago, companies didn't get it," he said. "Now, all the people I know in this business are hearing interest from all quarters."

Because backups tend to be done by the least important members of the information technology staff, sometimes disparaged as "tape monkeys," and therefore the tapes are at greater risk of insider attacks as well. Moreover, insiders have the access to know what data is on each tape, information that could help identity thieves target the right tapes.

"The process is totally insecure," Oltsik said. "You put you most junior people on this job, and those are the people that are most likely to be bribed and look for another way to make money."

While individual companies appear to be tackling the problem, there currently appears to be no federal policy in place, or planned to be implemented, for financial firms according to a representative of the Federal Deposit Insurance Corporation, the government agency that regulates federally insured banks.

Following the announcement by the Bank of America of its lost tape, the FDIC and three other federal agencies set guidelines to require that their members notify customers and regulators of any information that might be at risk, essentially adopting a rule similar to the law passed in California that led to the disclosure of so many breaches. However, the rule stopped short of requiring companies to protect such sensitive information with encryption.

Yet, those rules may come, as the increasing number of data leaks highlights the insecurity of sensitive information found on backup tapes.

"We are working very aggressively to educate our clients about the changing landscape," said Melissa Burman, spokeswoman for Iron Mountain. "The privacy concerns were not there, but now these issues are coming to life."

Copyright © 2005, SecurityFocus logo

Related stories

ID theft is inescapable
Free data-wipe tools for *nix systems
Outsourcing Back-up

Internet Security Threat Report 2014

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.