Storage experts said Bank of America’s loss of
tapes housing the personal information of 1.2 million government
employees suggests the data on them was not encrypted. The case is seen spurring calls for encrypting customer data.
Data encryption renders files unreadable to users, greatly mitigating the
security risk brought on by the theft or misplacement of tape
cartridges
that include stored files.
If Bank of America had encrypted the data on the tapes, which included
the addresses and account numbers for U.S. senators and other federal
workers, it is unlikely they would have had to announce the loss, said
Enterprise Strategy Group Analyst Jon Oltsik.
As it is, California Senate Bill 1386 requires corporations to report
any
breach to the security of a computing system where unencrypted personal
information is stored. The bank’s admittance suggest the tapes
were
not encrypted, a situation likely to bring renewed attention to efforts by Sen.
Dianne Feinstein (D-Calif.) to craft national identity theft
legislation.
Bank of America spokeswoman Alexandra Trower refused to confirm or deny
whether the files on the tapes were encrypted to prevent prying
eyes
from culling the data. But she expressed doubt that the information
could be
accessed.
“In order to access the tapes you have to have a sophisticated
combination
of specific hardware and software and specific user and operator
knowledge,”
Trower said. “On top of that, the data was structured in a highly
fragmented
way so it would have been very difficult for anyone to know what they
were
looking at.”
Still, the institution acknowledged that the blunder put customers at risk
for
identity theft by perpetrators savvy enough to get at the information
on the
tapes. After all, experts said, even incremental back-ups contain large
chunks of data, enough to store credit card numbers.
In Oltsik’s eyes, that’s all a corporation needs to know to realize it
needs
to shore up its defenses to protect customers from having their
accounts
drained, or their identities hijacked.
“You have to assume the worse case,” Oltsik said. “If it’s an error and
the
boxes end up somewhere that’s one thing. But if I go to the trouble to
steal
your box of back-up tapes you can be damn well be sure I know how to
access
those tapes.”
Encryption, he said, would make the bank’s data loss a non-issue,
because
files would be scrambled before they reached storage mediums.
Tape Loss: A Common Affair
Bank of America’s trouble isn’t a unique occurrence, even if the
personal
information of some U.S. senators slipped into the void as part of the loss. Because back-up
tapes are often physically transferred from one facility to another,
the
opportunities for lost or stolen tapes is not only high, but more
common
than the public knows.
This is because back-up process often involves a lot of third parties
that
don’t provide adequate tracking mechanisms, which means tapes can
easily be
shipped to the wrong warehouse, Oltsik said.
This dilemma is leading more banks and other institutions to look for
solutions to the physical moving of data. While Trower declined to say
if
the Bank of America is planning security practice changes in light of
the
incident, she said the bank is monitoring and improving its processes
as it
relates to information security and customer privacy.
Encryption is one option. Companies like Decru and NeoScale make
appliances
that encrypt data before it reaches the storage medium, which could
save a
company millions of dollars in having to recover from data theft or
loss.
Kevin Brown, vice president of marketing at Decru, said Decru makes a
security appliance that sits in front of tape or disk storage systems
and
encrypts the data at wire speed before it reaches the storage medium.
Decru
has many large banking customers using its appliance.
“It takes events like this to demonstrate what the priority is versus
spending the next couple of bucks on antivirus or the next best
firewall,”
Brown said. “People have done a lot to protect the perimeter of their
company but the stored data today has no security period.”
Other proposals call for the eventual phase out of tape storage, which
some
storage experts say is an eventuality. Frank Slootman, CEO of Data
Domain, a
disk back-up company that builds storage appliances, is looking to
replace
tape storage through data compression that squeezes the size of data
from 20
to 1.
While some companies like Iron Mountain pick up tapes and ship them off
to
another site for disaster protection, Slootman said Data Domain
compresses
the data and pipes it from one facility to another over the network.
This
alleviates physical handling of data.
“You get out of the business of making tapes, handling tapes, shipping
tapes, and storing tapes between facility to facility,” Slootman said.
Oltsik said encryption is a valuable approach, even if it is a bit
tricky.
“The thing about back-up is, 99 times out of 100, you’ll never use that
tape
again, so having it encrypted makes the recovery process more
cumbersome,
but the number of times you need to recover from tape are pretty rare,”
he
said.