GE Money, the firm hired by JC Penney to run its credit card operations, announced Thursday that it is missing a backup tape containing the personal information of about 650,000 shoppers of JC Penney and other merchants.
The personal information contains about 150,000 Social Security numbers. GE said the tape was discovered missing last October by a worker at a warehouse run by Boston-based data-protection and storage company, Iron Mountain Inc. A JC Penney spokesperson said the missing tape contained personal information of customers from more than 200 different retailers.
It is unclear if the data was encrypted. When stolen data is encrypted, companies are quick to point it out as a way to ensure customers that their identities are safe. GE Money spokesman Richard C. Jones said the company was paying for 12 months of credit-monitoring service for customers whose Social Security numbers were on the tape.
"As is standard practice in our industry, we rarely know the nature of the information stored on the media we transport, nor the level of encryption or security our customers use," said Iron Mountain spokesman, Dan O'Neill in an email exchange. "We understand the tape was created in such a manner that unauthorized access to the data is extremely unlikely and difficult, even for experts with specialized knowledge and technology."
It's the second time in recent months that Iron Mountain lost customer data. In October, Iron Mountain said it lost a decade's worth of bank account data and Social Security numbers for almost all Louisiana college applicants and their parents. The company was moving the backup tapes containing the information. A driver reportedly lost a case full of backup data for every Louisiana application for federal student aid from 1998 through Sept. 13, 2007.
Greg Schulz, an industry analyst with the Stillwater Minn.-based StorageIO Group downplayed the JC Penney incident saying that it would be too labor intensive for a cybercriminal to steal the data off any missing tapes.
"A penny theft criminal is not going to target an individual tape," Schulz said.
If the tape was targeted, a sophisticated cybercriminal would need to know the type of tape it is and have a specific device to read the data. Once cracked, the hacker would need to determine how the data was formatted. The work would be labor and financially intensive and therefore not a viable way for a cybercriminal to make money stealing identities, he said.
"Tapes have been lost and misplaced and have never left the building and the reality is that there are probably fewer tapes being lost today than there have been in the past," Schulz said. "Whether they're putting data on a tape or CDs or removable hard drives, the chance of that data getting lost is there."
To bolster security in the wake of many high profile data breaches, some companies are encrypting data on backup tapes. Some firms are also using radio frequency identification and global positioning to track and maintain a handle on backup data, Schulz said.
IBM has introduced encrypting tape drives and most back up software can encrypt but it still has to be turned on, said Eric Maiwald, an analyst at Midvale, Utah-based Burton Group.The potential for losing data because of a failed key management system must also be taken into account, Maiwald said.
"Encryption mechanisms that use appropriate algorithms with appropriate key lengths are effectively impossible to break. However, we have seen poor implementations that are breakable (such as WEP)," Maiwald said Friday in an email exchange.