Reassessing the dangers of lost data tapes

Companies often lose magnetic tapes with confidential information. But just what are the chances of that information causing anyone any harm? Information security experts at InfoWatch believe the chances of that data being used for illegal purposes are about the same as the chances of winning the lottery or being struck by lightening.

Last year millions of Americans could have fallen victim to identity theft as a result of large corporations regularly losing magnetic tapes and backup information during transportation to storage centers. Among those guilty of being careless with their clients' personal data were the Bank of America, Citibank, Marriott, and Time Warner. Amazingly, any experienced professional in the IT sphere will confirm that companies have been losing tapes for years.

The only thing that has changed with time is the law. For example, the Californian state law on database breaches (SB 1386) stipulates that any compromise of personal data must be disclosed. The loss of a backup data tape is just one such example that needs to be publicized.

Of course, laws like SB 1386 were adopted with the best intentions in mind, but does the loss of a backup tape really pose a risk? Technically, the answer is yes. In reality, however, it rarely does.

Without a doubt, backup tapes can be a source of confidential data like customer credit cards or trade secrets, and stealing backup tapes is not a new threat. One well-publicized crime took place in 1977 when a disgruntled IT administrator stole tapes in an attempt to extort money from his employer, Imperial Chemical. The crime was thwarted by detectives at Scotland Yard who followed and arrested the insider in London.

Such crimes could also be committed today, but unlike the 1970s there are now much safer ways of stealing data. It is enough to be an insider with some form of access rights to the company database, computer system and confidential information. Even if the insider knows nothing about the system or network administration they can copy a file to a USB storage device and go home with a few gigabytes of confidential information. A few million credit card numbers? No problem!

Today data is definitely very easy to steal. However, running out of the emergency door of a data center with a box full of magnetic tapes is no longer the done thing. It would arouse too much suspicion not to mention the inconvenient physical burden. The loss of the tapes would be noticed sooner or later and lead to law enforcement agencies getting involved. A “normal" insider attack to steal confidential data carried out “logically" can go unnoticed for months or even years. After all, the criminals are not looking for notoriety or challenges but financial gain.

So just what are the risks if a would-be criminal finds a couple of backup tapes lying on the street? How likely is it that the data will be used for illegal purposes? There is as much chance of winning the lottery or getting hit by a bolt of lightning.

First off, backup tapes are rather fragile and don't take well to shock or extreme climates. A tape could become unreadable after a few hours of sitting in the rain or extreme heat and it might be completely useless if it fell out of a truck at 60 kph.

There is one other serious factor which needs to be taken into consideration. Virtually all the tapes that are lost are anonymous. Tapes generally have two identifiers on them, a bar code and serial number, neither of which can help a criminal trace them back to a particular company. In other words, tapes are never found on the street with labels on them saying "Customer credit card numbers from Citibank."

Moreover, the data recorded on the tapes depends on the type of backup operation. Only some backup tapes have all the data in a system recorded on them, while the majority tend only to have data that have changed since the last backup. In other words, even if a spool of tape was found on the street, it is more likely to contain incremental information from recent records rather than exhaustive records from a whole system, making it much harder to use.

Finally, the average criminal who just happens to come across a backup tape is unlikely to have the skills to read it as well as the right equipment to access it. He is likely to arouse suspicion if he strolls into a shop with no knowledge of where the tapes came from or what type of tape drive and backup software were used in the process. That is probably going to end in a call to the law enforcement agencies.

If all these factors are taken into consideration, then it becomes clear that the criminal would need a combination of skills, resources, a four-leaf clover, horseshoe and rabbit's foot to steal data off a few misplaced backup tapes.

Therefore, a sense of perspective is needed when it comes to the loss of backup data. Today ordinary insiders, who don't need backup tapes to leak confidential information, pose a far greater threat. And the leaks in those cases are much harder to detect.

Source: news.com

l.12-.057c.834-.407 1.663-.812 2.53-1.211a42.414 42.414 0 0 1 3.345-1.374c2.478-.867 5.078-1.427 7.788-1.427 2.715 0 5.318.56 7.786 1.427z" transform="translate(-128 -243)"/>