[IP] Backups tapes a backdoor for identity thieves
Begin forwarded message:
From: "Elaine M. Newton" <enewton@xxxxxxxxxxxxxx>
Date: May 6, 2005 2:03:28 PM EDT
To: David Farber <dave@xxxxxxxxxx>
Cc: Ip <ip@xxxxxxxxxxxxxx>
Subject: Backups tapes a backdoor for identity thieves
For the IP list if you wish:
http://securityfocus.com/news/11048
SECURITYFOCUS NEWS
Backups tapes a backdoor for identity thieves
In many cases, low paid workers are handling sensitive tapes, but
only a small fraction of companies are securing the data with
encryption.
By Robert Lemos, SecurityFocus Apr 28 2005 2:26PM
Large companies are reconsidering their security and backup policies
after a handful of financial and information-technology companies
have admitted that tapes holding unencrypted customer data have gone
missing.
Last week, trading firm Ameritrade acknowledged that the company that
handles its backup data had lost a tape containing information on
about 200,000 customers. The financial firm is now revising its
backup policies and, in the interim, has halted all movement of
backup tapes, a spokesperson said this week.
Iron Mountain, a company that handles large corporations' data
storage, also acknowledged that it had lost track of four sets of
customer backup tapes since the beginning of this year. While the
company points out such incidents are a tiny fraction of its nearly 5
million pick-ups and deliveries done annually, its top executive has
called on clients to revamp their policies and start encrypting
critical data.
"It is important to understand that unencrypted information stored on
backup tapes is difficult to read, but it is not impossible," Richard
Reese, chairman and CEO of the Boston-based data protection service,
said in a statement issued last week. "Companies need to reassess
their backup strategies and seriously consider encrypting sensitive
data to prevent a potential breach of privacy."
The reconsideration of backup policies comes as the financial
industry is recovering from several high-profile data leaks due to
lost or stolen tapes. Bank of America told government officials in
February that the company had lost a tape containing account
information on a large number of government credit-card holders. A
representative of Bank of America could not be reached for comment.
Its unknown whether any of the lost tapes resulted in account
compromises.
"We don't believe that any foul play was involved," said Donna Kush,
spokeswoman for Ameritrade. "We were able to recover three (of four)
tapes in (our provider's) facility. We think the fourth was lost or
destroyed within the facility."
Even without evidence of theft, the lack of encryption is disturbing,
if entirely expected, said Jon Oltsik, senior research analyst for
the Enterprise Strategy Group. The analyst firm polled almost 400
companies and found that, despite renewed focus on securing customer
data, more than 60 percent of the companies do not encrypt any of
their backup data, and only 7 percent actually encrypt all their
backup data.
The financial industry does not set best practices in this case
either, Oltsik found. Two-thirds of the financial firms polled by ESG
never encrypted the data that they were backing up. The majority of
larger firms also failed to encrypt their backup data, with about 56
percent of companies with revenues greater than $5 billion never
having encrypted their data before putting it on tape.
Online backup services that fail to encrypt information could
represent similar security risks as does any information stored on a
hard drive that can easily be stolen, Oltsik said, pointing to a
recent rash of stolen laptops that contained medical information. The
high-profile breaches have executives asking questions about their
back up policies and encryption policies.
"Two years ago, companies didn't get it," he said. "Now, all the
people I know in this business are hearing interest from all quarters."
Because backups tend to be done by the least important members of the
information technology staff, sometimes disparaged as "tape monkeys,"
and therefore the tapes are at greater risk of insider attacks as
well. Moreover, insiders have the access to know what data is on each
tape, information that could help identity thieves target the right
tapes.
"The process is totally insecure," Oltsik said. "You put you most
junior people on this job, and those are the people that are most
likely to be bribed and look for another way to make money."
While individual companies appear to be tackling the problem, there
currently appears to be no federal policy in place, or planned to be
implemented, for financial firms according to a representative of the
Federal Deposit Insurance Corporation, the government agency that
regulates federally insured banks.
Following the announcement by the Bank of America of its lost tape,
the FDIC and three other federal agencies set guidelines to require
that their members notify customers and regulators of any information
that might be at risk, essentially adopting a rule similar to the law
passed in California that led to the disclosure of so many breaches.
However, the rule stopped short of requiring companies to protect
such sensitive information with encryption.
Yet, those rules may come, as the increasing number of data leaks
highlights the insecurity of sensitive information found on backup
tapes.
"We are working very aggressively to educate our clients about the
changing landscape," said Melissa Burman, spokeswoman for Iron
Mountain. "The privacy concerns were not there, but now these issues
are coming to life."
<tips@xxxxxxxxxxxxxxxxx>
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/