[ISN] Whoops! We Seem to Have Misplaced Your Identity
isn at c4i.org
Mon May 9 04:23:56 EDT 2005
Forwarded from: William Knowles <wk at c4i.org>
By RANDALL STROSS
Published: May 8, 2005
THE diesel-powered utility van is the unappreciated speed demon of the
digital age. Even lumbering along city streets in stop-and-go traffic,
it can move a trillion bytes of corporate data across town far faster
than if they were sent across the Internet.
The homely Ford Econoline 350 is the workhorse of Iron Mountain, the
dominating presence in the off-site data protection business. Its
customers include more than three-fourths of Fortune 500 companies,
and it had revenue of $1.82 billion last year, earned largely out of
public sight as its unmarked vans shuttled among the back-office
operations of its clients.
Last week, however, Iron Mountain lost the luxury of going about its
rounds invisibly. Time Warner, one of its clients, disclosed that
personal information - including names and Social Security numbers for
600,000 current and former employees - had gone missing six weeks
earlier while in the care of an unnamed "leader in data storage."
The data had been, in fact, in an Iron Mountain van, and the few
details about the incident that it and Time Warner have grudgingly
divulged - such as the fact that the pick-up at Time Warner was 1 of
19 the van made bouncing around Manhattan on the fateful day - raise
all sorts of questions.
To begin with, why would such sensitive information be handled less
like a guard-this-with-your-life briefcase entrusted to Brinks than
like a fungible bundle handed to the Dy-Dee Diaper Service? Why was
the data unencrypted? And why were trucks involved at all?
Why wasn't the backup done via a secure online connection, an option
that Iron Mountain offers as well as physical pickup? Why doesn't Iron
Mountain eliminate the risk of midroute problems and retire its fleet
Time Warner blamed Iron Mountain for the potential breach of
confidential employee information and would say nothing more about the
event. Its tapes were last seen on Iron Mountain's vans, so its
position is that it's Iron Mountain's responsibility; end of
Iron Mountain, for its part, gallantly declined to take Time Warner to
task. It could have done so by saying how foolish Time Warner had been
to send out sensitive personnel files in unencrypted form. Then again,
Iron Mountain itself had failed to advise clients to encrypt files
until April 21, when it issued a press release on the subject. This
was too late to help Time Warner, whose tapes had disappeared a month
Time Warner has now publicly vowed to floss regularly and encrypt
Iron Mountain has adopted a scattershot approach in its public appeal
for exoneration. Disappearing tapes - what its chief executive, C.
Richard Reese, calls "inadvertent disclosures" - are a rare problem:
12 instances for every five million pick-ups or deliveries. Mr. Reese
said he viewed the rarity of error as exemplary.
Jim Stickley, one of the founders and the chief technical officer of
Trace Security, a consulting firm based in Baton Rouge, La., is not
impressed: "Imagine the Secret Service said that about presidents:
'Well, we protected most of them.' "
Another argument pressed by Iron Mountain is that it knows of no
instance when the loss of tapes has "resulted in the unauthorized
access of personal information." Then again, have previous problems
involved tapes filled with 600,000 names and matching Social Security
numbers thoughtfully left unencrypted?
Iron Mountain also takes too much comfort in the fact that the missing
tapes are labeled only with a bar code. The company reasons that a
thief in search of Time Warner's employees would not know which van to
hit and which tapes to grab.
But why assume a crime of planning and cunning? If the tapes landed
accidentally in the hands of someone, who knew someone with the
technical competence to take a look at their contents - in unencrypted
form, not a difficult feat - what person of ill motive would toss
aside those 600,000 names and Social Security numbers?
Iron Mountain's best defense is that its reliance on trucks, which
must be loaded and unloaded by all-too-fallible humans, is unavoidable
for technical reasons. Online backups are not feasible for large
companies, given the sheer mass of data, which has grown faster than
the bandwidth of corporate Internet connections.
Illustrative numbers provided by Iron Mountain would seem to settle
the question. Consider a customer with 22,500 gigabytes (22.5
terabytes) of data that need to be ready for recovery from a disaster.
Compressed - and, one hopes, encrypted - these fit onto 300 backup
tapes, easily transported by the Econoline.
Now consider the challenge of alternatively moving that data over the
wire. Even with a pair of OC3 lines, each with 250 times the bandwidth
of a home broadband connection, you would need more than 82 hours to
send one set - though let's not forget that 8 to 10 hours are saved
because tapes do not have to be created.
And if disaster were to strike, it would take 82 hours to send these
terabytes back over the wire for restoration. That's why "we're not
driving the truck out of the equation," Mr. Reese said.
THE example, however, best matches a picture in which the computing
resources of the largest corporation consist of a single mainframe,
all of its many terabytes of data concentrated in one place,
susceptible to a single disaster.
Bud Stoddard, the chief executive of AmeriVault, a rival company based
in Boston that offers online backup services, says corporate data is
distributed across thousands of servers and desktops. "Disasters
happen every day, but they hit a server, or a department, or a
building." he said. "They do not take out an enterprise's total data
His company - as well as Iron Mountain - offers online disaster
protection by copying data via the Internet to off-site servers. This
eliminates the problem of limited bandwidth, as only incremental
changes to a file, not the entire file, need to be sent. It also
eliminates another potential problem: a faulty tape, discovered only
when it is needed for restoration.
Because of falling storage and bandwidth costs, it's now economically
feasible to prepare for disaster by going digital instead of diesel,
using a secure Internet connection to make an offsite mirror image of
a corporation's vital data.
And should catastrophe strike, a company need not wait hours or days
for its backup data to return by wire: AmeriVault can load 500
gigabytes of backed-up data onto a portable drive, then speed it to a
client. For that rare emergency, the trusty Econoline can be summoned
Had Time Warner used the Internet to back up its data, the company
would not now find itself reassuring its millions of subscribers -
21.7 million on AOL alone - that only employee information was in the
The company has offered to the individuals listed in the database a
one-year subscription to Equifax's Credit Watch service. Iron Mountain
has not stepped forward to pick up the bill. It adheres to the same
view as photo processors: if something goes wrong when your film is in
their possession, they'll replace the film, but they take no
responsibility for the lost photos.
"Under standard liability, we are not responsible for the information
stored on the tape," said Melissa Burman, an Iron Mountain
spokeswoman. "That's because we never know what information is stored
on any particular backup tape."
But when a missing tape could expose hundreds of thousands of people
to identity theft through no fault of their own, many of whom may
retain lawyers happy to work on contingency, Iron Mountain and similar
companies are probably glad they never know the contents.
This unfortunate event, seemingly similar to a long list of recently
revealed security incidents involving other companies and
organizations, should stand apart for one reason: it could have been
avoided so easily. It would have been a nonevent had Time Warner
encrypted its personnel files before shipping them.
Mr. Stickley of Trace Security advocates making encryption a matter of
law: "The government should be stepping in and say, 'You must encrypt
information that can ruin people's lives,' " he said. "It's that
Randall Stross is a historian and author based in Silicon Valley.
E-mail: ddomain (at) nytimes.com
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
More information about the ISN