, SecurityFocus 2005-04-28
In many cases, low paid workers are handling sensitive tapes, but only a small fraction of companies are securing the data with encryption.
The process is totally insecure. You put you most junior people on this job, and those are the people that are most likely to be bribed and look for another way to make money.
Last week, trading firm Ameritrade acknowledged that the company that handles its backup data had lost a tape containing information on about 200,000 customers. The financial firm is now revising its backup policies and, in the interim, has halted all movement of backup tapes, a spokesperson said this week.
Iron Mountain, a company that handles large corporations' data storage, also acknowledged that it had lost track of four sets of customer backup tapes since the beginning of this year. While the company points out such incidents are a tiny fraction of its nearly 5 million pick-ups and deliveries done annually, its top executive has called on clients to revamp their policies and start encrypting critical data.
"It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible," Richard Reese, chairman and CEO of the Boston-based data protection service, said in a statement issued last week. "Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."
The reconsideration of backup policies comes as the financial industry is recovering from several high-profile data leaks due to lost or stolen tapes. Bank of America told government officials in February that the company had lost a tape containing account information on a large number of government credit-card holders. A representative of Bank of America could not be reached for comment.
Its unknown whether any of the lost tapes resulted in account compromises.
"We don't believe that any foul play was involved," said Donna Kush, spokeswoman for Ameritrade. "We were able to recover three (of four) tapes in (our provider's) facility. We think the fourth was lost or destroyed within the facility."
Even without evidence of theft, the lack of encryption is disturbing, if entirely expected, said Jon Oltsik, senior research analyst for the Enterprise Strategy Group. The analyst firm polled almost 400 companies and found that, despite renewed focus on securing customer data, more than 60 percent of the companies do not encrypt any of their backup data, and only 7 percent actually encrypt all their backup data.
The financial industry does not set best practices in this case either, Oltsik found. Two-thirds of the financial firms polled by ESG never encrypted the data that they were backing up. The majority of larger firms also failed to encrypt their backup data, with about 56 percent of companies with revenues greater than $5 billion never having encrypted their data before putting it on tape.
Online backup services that fail to encrypt information could represent similar security risks as does any information stored on a hard drive that can easily be stolen, Oltsik said, pointing to a recent rash of stolen laptops that contained medical information. The high-profile breaches have executives asking questions about their back up policies and encryption policies.
"Two years ago, companies didn't get it," he said. "Now, all the people I know in this business are hearing interest from all quarters."
Because backups tend to be done by the least important members of the information technology staff, sometimes disparaged as "tape monkeys," and therefore the tapes are at greater risk of insider attacks as well. Moreover, insiders have the access to know what data is on each tape, information that could help identity thieves target the right tapes.
"The process is totally insecure," Oltsik said. "You put you most junior people on this job, and those are the people that are most likely to be bribed and look for another way to make money."
While individual companies appear to be tackling the problem, there currently appears to be no federal policy in place, or planned to be implemented, for financial firms according to a representative of the Federal Deposit Insurance Corporation, the government agency that regulates federally insured banks.
Following the announcement by the Bank of America of its lost tape, the FDIC and three other federal agencies set guidelines to require that their members notify customers and regulators of any information that might be at risk, essentially adopting a rule similar to the law passed in California that led to the disclosure of so many breaches. However, the rule stopped short of requiring companies to protect such sensitive information with encryption.
Yet, those rules may come, as the increasing number of data leaks highlights the insecurity of sensitive information found on backup tapes.
"We are working very aggressively to educate our clients about the changing landscape," said Melissa Burman, spokeswoman for Iron Mountain. "The privacy concerns were not there, but now these issues are coming to life."