[ISN] Backup tapes are backdoor for ID thieves

InfoSec News isn at c4i.org
Mon May 2 02:28:53 EDT 2005


By Robert Lemos
29th April 2005 

Large companies are reconsidering their security and backup policies
after a handful of financial and information-technology companies have
admitted that tapes holding unencrypted customer data have gone

Last week, trading firm Ameritrade acknowledged that the company that
handles its backup data had lost a tape containing information on
about 200,000 customers. The financial firm is now revising its backup
policies and, in the interim, has halted all movement of backup tapes,
a spokesperson said this week.

Iron Mountain, a company that handles large corporations' data
storage, also acknowledged that it had lost track of four sets of
customer backup tapes since the beginning of this year. While the
company points out such incidents are a tiny fraction of its nearly
five million pick-ups and deliveries done annually, its top executive
has called on clients to revamp their policies and start encrypting
critical data.

"It is important to understand that unencrypted information stored on
backup tapes is difficult to read, but it is not impossible," Richard
Reese, chairman and CEO of the Boston-based data protection service,
said in a statement issued last week. "Companies need to reassess
their backup strategies and seriously consider encrypting sensitive
data to prevent a potential breach of privacy."

The reconsideration of backup policies comes as the financial industry
is recovering from several high-profile data leaks due to lost or
stolen tapes. Bank of America told government officials in February
that the company had lost a tape containing account information on a
large number of government credit-card holders. A representative of
Bank of America could not be reached for comment.

It's unknown whether any of the lost tapes resulted in account

"We don't believe that any foul play was involved," said Donna Kush,
spokeswoman for Ameritrade. "We were able to recover three (of four)  
tapes in (our provider's) facility. We think the fourth was lost or
destroyed within the facility."

Even without evidence of theft, the lack of encryption is disturbing,
if entirely expected, said Jon Oltsik, senior research analyst for the
Enterprise Strategy Group. The analyst firm polled almost 400
companies and found that, despite renewed focus on securing customer
data, more than 60 per cent of the companies do not encrypt any of
their backup data, and only seven per cent actually encrypt all their
backup data.

The financial industry does not set best practices in this case
either, Oltsik found. Two-thirds of the financial firms polled by ESG
never encrypted the data that they were backing up. The majority of
larger firms also failed to encrypt their backup data, with about 56
percent of companies with revenues greater than $5 billion never
having encrypted their data before putting it on tape.

Online backup services that fail to encrypt information could
represent similar security risks as does any information stored on a
hard drive that can easily be stolen, Oltsik said, pointing to a
recent rash of stolen laptops that contained medical information. The
high-profile breaches have executives asking questions about their
back up policies and encryption policies.

"Two years ago, companies didn't get it," he said. "Now, all the
people I know in this business are hearing interest from all

Because backups tend to be done by the least important members of the
information technology staff, sometimes disparaged as "tape monkeys,"  
and therefore the tapes are at greater risk of insider attacks as
well. Moreover, insiders have the access to know what data is on each
tape, information that could help identity thieves target the right

"The process is totally insecure," Oltsik said. "You put you most
junior people on this job, and those are the people that are most
likely to be bribed and look for another way to make money."

While individual companies appear to be tackling the problem, there
currently appears to be no federal policy in place, or planned to be
implemented, for financial firms according to a representative of the
Federal Deposit Insurance Corporation, the government agency that
regulates federally insured banks.

Following the announcement by the Bank of America of its lost tape,
the FDIC and three other federal agencies set guidelines to require
that their members notify customers and regulators of any information
that might be at risk, essentially adopting a rule similar to the law
passed in California that led to the disclosure of so many breaches.  
However, the rule stopped short of requiring companies to protect such
sensitive information with encryption.

Yet, those rules may come, as the increasing number of data leaks
highlights the insecurity of sensitive information found on backup

"We are working very aggressively to educate our clients about the
changing landscape," said Melissa Burman, spokeswoman for Iron
Mountain. "The privacy concerns were not there, but now these issues
are coming to life."

Copyright © 2005

More information about the ISN mailing list