Security consultant Dave Watts recalled a large financial institution that said it lacked the budget to invest in preventing the theft of backup tapes, laptops and desktop PCs. Then during a robbery last summer, thieves absconded with 20 computers from a branch office holding customers' private data, touching off an in-depth audit and flurry of lawsuits from victims.
"Physical theft is one of the last things people think about," said Watts, president of NetFusion Inc., a Los Angeles-based network support and security consultancy. "Prevention is so much cheaper than thinking 'It won't happen to me.'" He believes that company settled the privacy-related lawsuits.
Such thefts are being acknowledged at an alarming rate these days. High-profile data compromises have peppered the news for months as hundreds of thousand of people have learned they're now at risk of ID theft. For instance:
- Data storage provider Iron Mountain Inc. Tuesday confirmed that it lost backup tapes of client Time Warner Inc. holding personal data of 600,000 former and current Time Warner employees.
- Last month, Omaha-based online investment brokerage Ameritrade Inc. announced it may have lost an unencrypted backup tape containing account information of 200,000 current and former clients.
- In March, San Jose Medical Group Inc. announced the theft of two laptops holding unencrypted medical information and Social Security numbers of 185,000
- And in February, Bank of America announced an unencrypted backup tape with credit card information on up to 1.2 million federal employees was stolen or lost while shipped on a commercial airline.
"Until the rash of recent, notable data security breaches, a majority of companies were not spending enough resources to control backup files, such as magnetic tapes," said Larry Ponemon, a privacy expert and chairman of the Ponemon Institute in Tucson, Ariz. "As part of an IT security program, the storage backup process has always been a key component to business continuity. However, physical security procedures over this media have not been a top-of-mind issue."
Some companies are trying a variety of technologies to mitigate the chance of such thefts.
"We still rely on tapes for one of the most critical parts of business -- backup," said Robert Reeder, CTO of direct marketing
service WA Wilde Inc. in Holliston, Mass. His company uses ExaGrid's Advanstor, a product that self-manages, -heals and integrates primary storage with local and remote data protection functions by mirroring configurations across two geographically dispersed sites.
"Unlike with backup tapes that are small and have to be physically protected, it uses all the technology, tools, policies, etc., that can be brought to bear," Reeder said.
And encryption is also an important option. Watts suggests using EFS [encrypted file system] that is part of Microsoft's Server 2000 and newer versions to encrypt all stored data. He'd like to see complete encryption even at the workstation level so that if a machine -- laptop or desktop -- is stolen, its data can't be accessed.
Ironically, Iron Mountain touted the benefits of encrypting backup tapes before its widely publicized loss of Time Warner data. "It is important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible," the company said April, when it also acknowledged a string of four "events" involving loss of backup tapes. "Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."
Privacy advocate Richard M. Smith agrees. "A simple solution for dealing with lost backup tapes is to encrypt the data before storing it. If it then goes missing, it will be unreadable to an outsider."
However, very few companies currently encrypt their backup tapes. Last month, the Enterprise Strategy Group [ESG] analyst group in Milford, Mass., surveyed 388 IT professionals representing 10 industry segments. The firm reported only 6% of financial services firms, 3% of government organizations and 3% of healthcare firms always encrypt their backup data, while two-thirds or more of each category say they never do.
"Data backup and offsite storage is an error-prone, manual undertaking that often includes junior employees, unmarked cardboard boxes, untrusted couriers and public transportation," Jon Oltsik, a senior analyst at ESG, said in a statement. "This process is full of holes ripe for compromise. If a malicious individual wanted to steal confidential data, he or she could simply bribe an employee or simply grab a non-descript cardboard box in transit. Since all of the data is [unencrypted], it could be extremely damaging in the hands of the wrong person."
And not only could the data fall into the wrong hands, it's a clear violation of the Sarbanes-Oxley Act, Ponemon said. Data breaches resulting from stolen or lost backup files such as magnetic tapes violate the internal control process.
"We're in the information age and a lot of companies don't seem to understand what that means," said Evan Scott, president of the Philadelphia-based executive search firm Evan Scott Group International. "The lifeblood of our country -- the information we use every day -- is in cyberspace."