Backup tapes are backdoor for ID thieves

Tales from the encrypt

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

Large companies are reconsidering their security and backup policies after a handful of financial and information-technology companies have admitted that tapes holding unencrypted customer data have gone missing.

Last week, trading firm Ameritrade acknowledged that the company that handles its backup data had lost a tape containing information on about 200,000 customers. The financial firm is now revising its backup policies and, in the interim, has halted all movement of backup tapes, a spokesperson said this week.

Iron Mountain, a company that handles large corporations' data storage, also acknowledged that it had lost track of four sets of customer backup tapes since the beginning of this year. While the company points out such incidents are a tiny fraction of its nearly five million pick-ups and deliveries done annually, its top executive has called on clients to revamp their policies and start encrypting critical data.

"It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible," Richard Reese, chairman and CEO of the Boston-based data protection service, said in a statement issued last week. "Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."

The reconsideration of backup policies comes as the financial industry is recovering from several high-profile data leaks due to lost or stolen tapes. Bank of America told government officials in February that the company had lost a tape containing account information on a large number of government credit-card holders. A representative of Bank of America could not be reached for comment.

It's unknown whether any of the lost tapes resulted in account compromises.

"We don't believe that any foul play was involved," said Donna Kush, spokeswoman for Ameritrade. "We were able to recover three (of four) tapes in (our provider's) facility. We think the fourth was lost or destroyed within the facility."

Even without evidence of theft, the lack of encryption is disturbing, if entirely expected, said Jon Oltsik, senior research analyst for the Enterprise Strategy Group. The analyst firm polled almost 400 companies and found that, despite renewed focus on securing customer data, more than 60 per cent of the companies do not encrypt any of their backup data, and only seven per cent actually encrypt all their backup data.

The financial industry does not set best practices in this case either, Oltsik found. Two-thirds of the financial firms polled by ESG never encrypted the data that they were backing up. The majority of larger firms also failed to encrypt their backup data, with about 56 percent of companies with revenues greater than $5 billion never having encrypted their data before putting it on tape.

Online backup services that fail to encrypt information could represent similar security risks as does any information stored on a hard drive that can easily be stolen, Oltsik said, pointing to a recent rash of stolen laptops that contained medical information. The high-profile breaches have executives asking questions about their back up policies and encryption policies.

"Two years ago, companies didn't get it," he said. "Now, all the people I know in this business are hearing interest from all quarters."

Because backups tend to be done by the least important members of the information technology staff, sometimes disparaged as "tape monkeys," and therefore the tapes are at greater risk of insider attacks as well. Moreover, insiders have the access to know what data is on each tape, information that could help identity thieves target the right tapes.

"The process is totally insecure," Oltsik said. "You put you most junior people on this job, and those are the people that are most likely to be bribed and look for another way to make money."

While individual companies appear to be tackling the problem, there currently appears to be no federal policy in place, or planned to be implemented, for financial firms according to a representative of the Federal Deposit Insurance Corporation, the government agency that regulates federally insured banks.

Following the announcement by the Bank of America of its lost tape, the FDIC and three other federal agencies set guidelines to require that their members notify customers and regulators of any information that might be at risk, essentially adopting a rule similar to the law passed in California that led to the disclosure of so many breaches. However, the rule stopped short of requiring companies to protect such sensitive information with encryption.

Yet, those rules may come, as the increasing number of data leaks highlights the insecurity of sensitive information found on backup tapes.

"We are working very aggressively to educate our clients about the changing landscape," said Melissa Burman, spokeswoman for Iron Mountain. "The privacy concerns were not there, but now these issues are coming to life."

Copyright © 2005, SecurityFocus logo

Related stories

ID theft is inescapable
Free data-wipe tools for *nix systems
Outsourcing Back-up

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Attack of the clones: Oracle's latest Red Hat Linux lookalike arrives
Oracle's Linux boss says Larry's Linux isn't just for Oracle apps anymore
THUD! WD plonks down SIX TERABYTE 'consumer NAS' fatboy
Now that's a LOT of porn or pirated movies. Or, you know, other consumer stuff
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
FLAPE – the next BIG THING in storage
Find cold data with flash, transmit it from tape
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.