Lessons Learned When Data Tapes Go Missing

Data security

Just one lost data tape is a big headache for businesses, big or small. Two disappearing tapes, within the span of two months, would likely have any storage administrator and CIO gobbling antacid tablets.

While IT leaders and executives at the Bank of New York Mellon (BNY Mellon) have likely slowed down in chugging Pepto-Bismol, they’re busy dealing with the fallout of lost data and stopping customers from running out the door.

The tape losses, which occurred in February and April and revealed publicly by the bank last week, should be viewed as a learning experience for other enterprises as well, experts say. The scenario drives home the reason why encryption is a storage strategy requirement and no longer just a best practice.

“The law of averages states that, at some point, a tape will be lost because so many are being transferred,” Brian Babineau, senior analyst, Enterprise Strategy Group, told InternetNews.com.

“Companies know there is a risk that tapes can be lost and can choose to encrypt data as an insurance policy,” Babineau said. “But many still believe that it will never happen to them or believe that the cost of encryption is not worth the benefit.”

Those companies include top financial institutions such as Chrysler Financial Services Canada, Bank of America (NYSE: BAC) and even digital storage player and tape transporter Iron Mountain (NYSE: IRM). All experienced a data-tape loss scenario in the past few years.

And all know the business pains BNY Mellon is dealing with as it works to assure customers and clients that the lost data has not been compromised and that it’s shoring up tape security.

“We’re aiming to improve on the protections of data and minimize risks with removable storage media,” Ron Sommer, BNY Mellon spokesman, told InternetNews.com. “We are working on improvements needed and the review of what happened will help us do that,” he said.

The February incident involved one of 10 boxes of backup data storage tapes being transported to an offsite storage facility by a third-party archiving vendor. The data was tied to BNK Mellon Shareowner Services, a stock transfer agent and stock plan administrator for public companies.

Upon first investigation the bank said the data held account information for 270,000 plan participants, including Social Security numbers, addresses and transaction activity. Further investigation revealed that the tapes held data on an additional 4 million individuals.

Law enforcement was called in, the bank hired a forensics investigative team and fired the courier services. It also notified the Office of the Comptroller of the Currency, the New York State Banking Department, the Federal Reserve Board, the Securities and Exchange Commission and various state authorities, according to the bank.

The bank notified individuals in early April about the incident.

Within a few weeks of completing the customer notification effort, a backup tape from another division, this time the BNY Mellon Working Capital Solutions’ operations, was lost in transport by a national courier.

The tape held images of scanned checks and other documents relating to payments made to BNY Mellon’s institutional clients.

BNY Mellon again notified regulatory and enforcement parties, and began an analysis to assess the missing data and identify clients impacted by the incident.

The bank notified the 47 institutional clients by mid-May and began working with the clients to identify individuals affected by the incident. At this point the number of impacted individuals is unknown, according to the bank.

BNY Mellon, according to Sommer, is taking a number of steps to enhance existing security measures and minimize threats in the future.

Those measures including using direct encrypted electronic transmission wherever possible to minimize tape need and requiring that confidential data be encrypted before written on tapes for transport.

In addition, BNY Mellon is also providing fraud protection that includes two years of free credit monitoring, $25,000 worth of identity theft insurance. It’s also established hotlines to answer consumer questions.

“We are conducting a thorough, top-to-bottom review of existing policies and procedures to ensure the company has industry-leading security measures in place across all of our businesses,” the bank stated on its Web site.

The encryption aspect, according to experts, should be in place anywhere companies are using tape storage at this point.

“Unfortunately these stories will continue unless companies start encrypting confidential data before it is put on the tape,” Babineau said. “Yes, these alternatives cost money, but would you really do business with someone who doesn’t think your information is worth securing,” he asked.

As another pundit noted, encryption doesn’t begin and end on tape. Greg Schultz, founder and senior analyst at StorageIO, recommends that enterprises encrypt any removable media and leverage available encryption and key management on higher risk items such as laptops and PDAs.

Companies should also investigate new tape accessories such as RFID-enabled labels and GPS tracking-enabled tape cases, Schultz said.

“Given available technology, known threat risks and even more important, the negative consequences of having your name appear in the news for losing unencrypted data and storage media loss, why wouldn’t a high-profile organization or any organization be leveraging data encryption?” he asked.

News Around the Web