Storage experts say Bank of America’s admission that it lost data tapes containing the personal information of 1.2 million government employees suggests that the data on the tapes was not encrypted.
Data encryption renders files unreadable without the encryption key, greatly reducing security risk in the event of theft or misplacement of tape cartridges that include stored data.
If Bank of America had encrypted the data on the tapes, which included the addresses and account numbers for U.S. senators and other federal workers, it is unlikely they would have had to announce the loss, said Enterprise Strategy Group analyst Jon Oltsik.
As it is, California state law SB 1386 requires corporations to report any security breach of a computing system where unencrypted personal information is stored. The bank’s admission suggests the tapes were not encrypted, which is likely to bring renewed attention to efforts by Sen. Dianne Feinstein (D-Calif.) to craft national identity theft legislation.
Bank of America spokeswoman Alexandra Trower declined to say if the files on the tapes were encrypted, but she said it was unlikely that the information could be accessed.
“In order to access the tapes, you have to have a sophisticated combination of specific hardware and software and specific user and operator knowledge,” Trower said. “On top of that, the data was structured in a highly fragmented way, so it would have been very difficult for anyone to know what they were looking at.”
Still, the institution acknowledged that the mishap put customers at risk for identity theft by perpetrators savvy enough to get at the information on the tapes. After all, experts say, even incremental back-ups contain large chunks of data, enough to store credit card numbers.
In Oltsik’s view, that’s all a corporation needs to realize it must shore up its defenses to protect customers from having their accounts drained or their identities hijacked.
“You have to assume the worse case,” Oltsik said. “If it’s an error and the boxes end up somewhere, that’s one thing. But if I go to the trouble to steal your box of back-up tapes, you can be damn well sure I know how to access those tapes.”
Encryption, he said, would make the bank’s data loss a non-issue, because files would be scrambled before they reached storage mediums.
Tape Loss: More Common Than You Think
Bank of America’s troubles aren’t unique, even if the personal information of some U.S. senators was exposed as part of the loss. Because back-up tapes are often physically transferred from one facility to another, the chance for lost or stolen tapes is not only high, but also occurs more often than is commonly known. This is because back-up processes often involve a lot of third parties that don’t provide adequate tracking mechanisms, which means tapes can easily be shipped to the wrong warehouse, Oltsik said.
The difficulty is causing more banks and other institutions to look for alternatives to physically moving data, or at least ways to make it safer. Trower declined to say if Bank of America is planning security changes in light of the incident, but she said the bank is monitoring and improving its processes as they relate to information security and customer privacy.
Encryption is one option. Companies like Decru and NeoScale make appliances that encrypt data before it reaches the storage medium, which, while not cheap, could save companies millions of dollars in event of data theft or loss.
Kevin Brown, vice president of marketing at Decru, said Decru makes a security appliance that sits in front of tape or disk storage systems and encrypts the data at wire speed before it reaches the storage medium. Decru has many large banking customers using its appliance, he said.
“It takes events like this to demonstrate what the priority is, versus spending the next couple of bucks on anti-virus or the next best firewall,” Brown said. “People have done a lot to protect the perimeter of their company, but the stored data today has no security, period.”
Other proposals call for the eventual phase-out of tape storage, which some storage experts say is an eventuality. Frank Slootman, CEO of Data Domain, a disk back-up company that builds storage appliances, is looking to replace tape storage through data compression that squeezes the size of data from 20 to 1.
While some companies like Iron Mountain pick up tapes and ship them off to another site for disaster protection, Slootman said Data Domain compresses the data and pipes it from one facility to another over the network. This reduces physical handling of data.
“You get out of the business of making tapes, handling tapes, shipping tapes and storing tapes between facility to facility,” Slootman said.
Oltsik said encryption is a valuable approach, even if it is a bit tricky.
“The thing about back-up is, 99 times out of 100, you’ll never use that tape again, so having it encrypted makes the recovery process more cumbersome, but the number of times you need to recover from tape are pretty rare,” he said.
Article courtesy of InternetNews.com