Bank Data Leak Jump-Starts Encryption Talk

Storage experts said Bank of America’s loss of
tapes housing the personal information of 1.2 million government
employees suggests the data on them was not encrypted. The case is seen spurring calls for encrypting customer data.

Data encryption renders files unreadable to users, greatly mitigating the
security risk brought on by the theft or misplacement of tape
that include stored files.

If Bank of America had encrypted the data on the tapes, which included
the addresses and account numbers for U.S. senators and other federal
workers, it is unlikely they would have had to announce the loss, said
Enterprise Strategy Group Analyst Jon Oltsik.

As it is, California Senate Bill 1386 requires corporations to report
breach to the security of a computing system where unencrypted personal
information is stored. The bank’s admittance suggest the tapes
not encrypted, a situation likely to bring renewed attention to efforts by Sen.
Dianne Feinstein (D-Calif.) to craft national identity theft

Bank of America spokeswoman Alexandra Trower refused to confirm or deny
whether the files on the tapes were encrypted to prevent prying
from culling the data. But she expressed doubt that the information
could be

“In order to access the tapes you have to have a sophisticated
of specific hardware and software and specific user and operator
Trower said. “On top of that, the data was structured in a highly
way so it would have been very difficult for anyone to know what they
looking at.”

Still, the institution acknowledged that the blunder put customers at risk
identity theft by perpetrators savvy enough to get at the information
on the
tapes. After all, experts said, even incremental back-ups contain large
chunks of data, enough to store credit card numbers.

In Oltsik’s eyes, that’s all a corporation needs to know to realize it
to shore up its defenses to protect customers from having their
drained, or their identities hijacked.

“You have to assume the worse case,” Oltsik said. “If it’s an error and
boxes end up somewhere that’s one thing. But if I go to the trouble to
your box of back-up tapes you can be damn well be sure I know how to
those tapes.”

Encryption, he said, would make the bank’s data loss a non-issue,
files would be scrambled before they reached storage mediums.

Tape Loss: A Common Affair

Bank of America’s trouble isn’t a unique occurrence, even if the
information of some U.S. senators slipped into the void as part of the loss. Because back-up
tapes are often physically transferred from one facility to another,
opportunities for lost or stolen tapes is not only high, but more
than the public knows.

This is because back-up process often involves a lot of third parties
don’t provide adequate tracking mechanisms, which means tapes can
easily be
shipped to the wrong warehouse, Oltsik said.

This dilemma is leading more banks and other institutions to look for
solutions to the physical moving of data. While Trower declined to say
the Bank of America is planning security practice changes in light of
incident, she said the bank is monitoring and improving its processes
as it
relates to information security and customer privacy.

Encryption is one option. Companies like Decru and NeoScale make
that encrypt data before it reaches the storage medium, which could
save a
company millions of dollars in having to recover from data theft or

Kevin Brown, vice president of marketing at Decru, said Decru makes a
security appliance that sits in front of tape or disk storage systems
encrypts the data at wire speed before it reaches the storage medium.
has many large banking customers using its appliance.

“It takes events like this to demonstrate what the priority is versus
spending the next couple of bucks on antivirus or the next best
Brown said. “People have done a lot to protect the perimeter of their
company but the stored data today has no security period.”

Other proposals call for the eventual phase out of tape storage, which
storage experts say is an eventuality. Frank Slootman, CEO of Data
Domain, a
disk back-up company that builds storage appliances, is looking to
tape storage through data compression that squeezes the size of data
from 20
to 1.

While some companies like Iron Mountain pick up tapes and ship them off
another site for disaster protection, Slootman said Data Domain
the data and pipes it from one facility to another over the network.
alleviates physical handling of data.

“You get out of the business of making tapes, handling tapes, shipping
tapes, and storing tapes between facility to facility,” Slootman said.

Oltsik said encryption is a valuable approach, even if it is a bit

“The thing about back-up is, 99 times out of 100, you’ll never use that
again, so having it encrypted makes the recovery process more
but the number of times you need to recover from tape are pretty rare,”

News Around the Web