In a move that could fuel efforts to change data storage practices, records management giant Iron Mountain has admitted losing a customer’s backup tapes and is recommending that customers begin encrypting tapes.
“Iron Mountain performs upwards of five million pickups and deliveries of backup tapes each year, with greater than 99.999% reliability,” the company said in a statement Thursday. “Nevertheless, since the beginning of the year, four events of human error at Iron Mountain resulted in the loss of a customer’s computer backup tapes. While four losses is not a large number in comparison to an annual rate of five million transportation events, any loss is important to customers and to Iron Mountain.”
Iron Mountain did not name the customer, but the admission comes on the heels of announcements from Bank of America and Ameritrade that the financial firms had lost backup tapes containing customer data and were notifying customers.
“Iron Mountain is advising its customers that current, commonly used disaster recovery processes do not address increased requirements for protecting personal information from inadvertent disclosure,” the company said.
Companies commonly create multiple copies of their computer data on backup tapes and move them off site to allow for recovery in case of a disaster. According to a recent report from the Enterprise Strategy Group, only seven percent of businesses encrypt all of their backup tapes.
Many businesses don’t encrypt because the process increases the complexity of the backup process and may reduce the reliability of an effective disaster recovery plan, Iron Mountain said.
“Iron Mountain, therefore, is recommending that companies encrypt backup tapes containing personal information, but take care to incorporate encryption in a way that does not compromise their overall disaster recovery plans,” the company said. “This announcement is the beginning of a campaign to educate our customers on these important issues so that together we can start to work toward solutions.”
Iron Mountain noted that the accidental loss of backup tapes “poses a potential risk if sensitive information stored on those tapes is unencrypted. … Iron Mountain is not aware of any incident in which the physical loss of a backup tape resulted in the unauthorized access of personal information. It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible. Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy.”
“We invest more in training, automation and process controls than anyone in our industry,” stated Iron Mountain CEO Richard Reese. “But even Iron Mountain is not immune from human error. The only effective means to prevent unauthorized access to data is the use of encryption.”
Iron Mountain spokesperson Melissa Burman said the company made the announcement “to create awareness and educate our customers on this issue. We believe encryption is the best way for businesses to meet the increasing need for privacy protection.”
The company isn’t currently working with storage security vendors or offering an encryption solution, she said.
“For now, we’re focused on the education component, but we are evaluating solutions to bring to our customers, either directly or indirectly, that will make it easier for them
to implement encryption into the tape backup process without compromising
disaster recovery objectives,” Burman told Enterprise Storage Forum.