[ISN] Whoops! We Seem to Have Misplaced Your Identity

InfoSec News isn at c4i.org
Mon May 9 04:23:56 EDT 2005

Forwarded from: William Knowles <wk at c4i.org>


Published: May 8, 2005

THE diesel-powered utility van is the unappreciated speed demon of the
digital age. Even lumbering along city streets in stop-and-go traffic,
it can move a trillion bytes of corporate data across town far faster
than if they were sent across the Internet.

The homely Ford Econoline 350 is the workhorse of Iron Mountain, the
dominating presence in the off-site data protection business. Its
customers include more than three-fourths of Fortune 500 companies,
and it had revenue of $1.82 billion last year, earned largely out of
public sight as its unmarked vans shuttled among the back-office
operations of its clients.

Last week, however, Iron Mountain lost the luxury of going about its
rounds invisibly. Time Warner, one of its clients, disclosed that
personal information - including names and Social Security numbers for
600,000 current and former employees - had gone missing six weeks
earlier while in the care of an unnamed "leader in data storage."

The data had been, in fact, in an Iron Mountain van, and the few
details about the incident that it and Time Warner have grudgingly
divulged - such as the fact that the pick-up at Time Warner was 1 of
19 the van made bouncing around Manhattan on the fateful day - raise
all sorts of questions.

To begin with, why would such sensitive information be handled less
like a guard-this-with-your-life briefcase entrusted to Brinks than
like a fungible bundle handed to the Dy-Dee Diaper Service? Why was
the data unencrypted? And why were trucks involved at all?

Why wasn't the backup done via a secure online connection, an option 
that Iron Mountain offers as well as physical pickup? Why doesn't Iron 
Mountain eliminate the risk of midroute problems and retire its fleet 
of Econolines? 

Time Warner blamed Iron Mountain for the potential breach of 
confidential employee information and would say nothing more about the 
event. Its tapes were last seen on Iron Mountain's vans, so its 
position is that it's Iron Mountain's responsibility; end of 

Iron Mountain, for its part, gallantly declined to take Time Warner to 
task. It could have done so by saying how foolish Time Warner had been 
to send out sensitive personnel files in unencrypted form. Then again, 
Iron Mountain itself had failed to advise clients to encrypt files 
until April 21, when it issued a press release on the subject. This 
was too late to help Time Warner, whose tapes had disappeared a month 

Time Warner has now publicly vowed to floss regularly and encrypt 

Iron Mountain has adopted a scattershot approach in its public appeal 
for exoneration. Disappearing tapes - what its chief executive, C. 
Richard Reese, calls "inadvertent disclosures" - are a rare problem: 
12 instances for every five million pick-ups or deliveries. Mr. Reese 
said he viewed the rarity of error as exemplary.

Jim Stickley, one of the founders and the chief technical officer of 
Trace Security, a consulting firm based in Baton Rouge, La., is not 
impressed: "Imagine the Secret Service said that about presidents: 
'Well, we protected most of them.' "

Another argument pressed by Iron Mountain is that it knows of no 
instance when the loss of tapes has "resulted in the unauthorized 
access of personal information." Then again, have previous problems 
involved tapes filled with 600,000 names and matching Social Security 
numbers thoughtfully left unencrypted?

Iron Mountain also takes too much comfort in the fact that the missing 
tapes are labeled only with a bar code. The company reasons that a 
thief in search of Time Warner's employees would not know which van to 
hit and which tapes to grab.

But why assume a crime of planning and cunning? If the tapes landed 
accidentally in the hands of someone, who knew someone with the 
technical competence to take a look at their contents - in unencrypted 
form, not a difficult feat - what person of ill motive would toss 
aside those 600,000 names and Social Security numbers?

Iron Mountain's best defense is that its reliance on trucks, which 
must be loaded and unloaded by all-too-fallible humans, is unavoidable 
for technical reasons. Online backups are not feasible for large 
companies, given the sheer mass of data, which has grown faster than 
the bandwidth of corporate Internet connections.

Illustrative numbers provided by Iron Mountain would seem to settle 
the question. Consider a customer with 22,500 gigabytes (22.5 
terabytes) of data that need to be ready for recovery from a disaster. 
Compressed - and, one hopes, encrypted - these fit onto 300 backup 
tapes, easily transported by the Econoline.

Now consider the challenge of alternatively moving that data over the 
wire. Even with a pair of OC3 lines, each with 250 times the bandwidth 
of a home broadband connection, you would need more than 82 hours to 
send one set - though let's not forget that 8 to 10 hours are saved 
because tapes do not have to be created. 

And if disaster were to strike, it would take 82 hours to send these 
terabytes back over the wire for restoration. That's why "we're not 
driving the truck out of the equation," Mr. Reese said.

THE example, however, best matches a picture in which the computing 
resources of the largest corporation consist of a single mainframe, 
all of its many terabytes of data concentrated in one place, 
susceptible to a single disaster.

Bud Stoddard, the chief executive of AmeriVault, a rival company based 
in Boston that offers online backup services, says corporate data is 
distributed across thousands of servers and desktops. "Disasters 
happen every day, but they hit a server, or a department, or a 
building." he said. "They do not take out an enterprise's total data 

His company - as well as Iron Mountain - offers online disaster 
protection by copying data via the Internet to off-site servers. This 
eliminates the problem of limited bandwidth, as only incremental 
changes to a file, not the entire file, need to be sent. It also 
eliminates another potential problem: a faulty tape, discovered only 
when it is needed for restoration. 

Because of falling storage and bandwidth costs, it's now economically 
feasible to prepare for disaster by going digital instead of diesel, 
using a secure Internet connection to make an offsite mirror image of 
a corporation's vital data. 

And should catastrophe strike, a company need not wait hours or days 
for its backup data to return by wire: AmeriVault can load 500 
gigabytes of backed-up data onto a portable drive, then speed it to a 
client. For that rare emergency, the trusty Econoline can be summoned 
for duty.

Had Time Warner used the Internet to back up its data, the company 
would not now find itself reassuring its millions of subscribers - 
21.7 million on AOL alone - that only employee information was in the 
missing tapes. 

The company has offered to the individuals listed in the database a 
one-year subscription to Equifax's Credit Watch service. Iron Mountain 
has not stepped forward to pick up the bill. It adheres to the same 
view as photo processors: if something goes wrong when your film is in 
their possession, they'll replace the film, but they take no 
responsibility for the lost photos.

"Under standard liability, we are not responsible for the information 
stored on the tape," said Melissa Burman, an Iron Mountain 
spokeswoman. "That's because we never know what information is stored 
on any particular backup tape." 

But when a missing tape could expose hundreds of thousands of people 
to identity theft through no fault of their own, many of whom may 
retain lawyers happy to work on contingency, Iron Mountain and similar 
companies are probably glad they never know the contents.

This unfortunate event, seemingly similar to a long list of recently 
revealed security incidents involving other companies and 
organizations, should stand apart for one reason: it could have been 
avoided so easily. It would have been a nonevent had Time Warner 
encrypted its personnel files before shipping them. 

Mr. Stickley of Trace Security advocates making encryption a matter of 
law: "The government should be stepping in and say, 'You must encrypt 
information that can ruin people's lives,' " he said. "It's that 


Randall Stross is a historian and author based in Silicon Valley. 
E-mail: ddomain (at) nytimes.com

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list