Modernizing Authentication — What It Takes to Transform Secure Access
Storage experts said Bank of America's loss of tapes housing the personal information of 1.2 million government employees suggests the data on them was not encrypted. The case is seen spurring calls for encrypting customer data.
Data encryption renders files unreadable to users, greatly mitigating the security risk brought on by the theft or misplacement of tape cartridges that include stored files.
If Bank of America had encrypted the data on the tapes, which included the addresses and account numbers for U.S. senators and other federal workers, it is unlikely they would have had to announce the loss, said Enterprise Strategy Group Analyst Jon Oltsik.
As it is, California Senate Bill 1386 requires corporations to report any breach to the security of a computing system where unencrypted personal information is stored. The bank's admittance suggest the tapes were not encrypted, a situation likely to bring renewed attention to efforts by Sen. Dianne Feinstein (D-Calif.) to craft national identity theft legislation.
Bank of America spokeswoman Alexandra Trower refused to confirm or deny whether the files on the tapes were encrypted to prevent prying eyes from culling the data. But she expressed doubt that the information could be accessed.
"In order to access the tapes you have to have a sophisticated combination of specific hardware and software and specific user and operator knowledge," Trower said. "On top of that, the data was structured in a highly fragmented way so it would have been very difficult for anyone to know what they were looking at."
Still, the institution acknowledged that the blunder put customers at risk for identity theft by perpetrators savvy enough to get at the information on the tapes. After all, experts said, even incremental back-ups contain large chunks of data, enough to store credit card numbers.
In Oltsik's eyes, that's all a corporation needs to know to realize it needs to shore up its defenses to protect customers from having their accounts drained, or their identities hijacked.
"You have to assume the worse case," Oltsik said. "If it's an error and the boxes end up somewhere that's one thing. But if I go to the trouble to steal your box of back-up tapes you can be damn well be sure I know how to access those tapes."
Encryption, he said, would make the bank's data loss a non-issue, because files would be scrambled before they reached storage mediums.
Tape Loss: A Common Affair
Bank of America's trouble isn't a unique occurrence, even if the personal information of some U.S. senators slipped into the void as part of the loss. Because back-up tapes are often physically transferred from one facility to another, the opportunities for lost or stolen tapes is not only high, but more common than the public knows.
This is because back-up process often involves a lot of third parties that don't provide adequate tracking mechanisms, which means tapes can easily be shipped to the wrong warehouse, Oltsik said.
This dilemma is leading more banks and other institutions to look for solutions to the physical moving of data. While Trower declined to say if the Bank of America is planning security practice changes in light of the incident, she said the bank is monitoring and improving its processes as it relates to information security and customer privacy.
Encryption is one option. Companies like Decru and NeoScale make appliances that encrypt data before it reaches the storage medium, which could save a company millions of dollars in having to recover from data theft or loss.
Kevin Brown, vice president of marketing at Decru, said Decru makes a security appliance that sits in front of tape or disk storage systems and encrypts the data at wire speed before it reaches the storage medium. Decru has many large banking customers using its appliance.
"It takes events like this to demonstrate what the priority is versus spending the next couple of bucks on antivirus or the next best firewall," Brown said. "People have done a lot to protect the perimeter of their company but the stored data today has no security period."
Other proposals call for the eventual phase out of tape storage, which some storage experts say is an eventuality. Frank Slootman, CEO of Data Domain, a disk back-up company that builds storage appliances, is looking to replace tape storage through data compression that squeezes the size of data from 20 to 1.
While some companies like Iron Mountain pick up tapes and ship them off to another site for disaster protection, Slootman said Data Domain compresses the data and pipes it from one facility to another over the network. This alleviates physical handling of data.
"You get out of the business of making tapes, handling tapes, shipping tapes, and storing tapes between facility to facility," Slootman said.
Oltsik said encryption is a valuable approach, even if it is a bit tricky.
"The thing about back-up is, 99 times out of 100, you'll never use that tape again, so having it encrypted makes the recovery process more cumbersome, but the number of times you need to recover from tape are pretty rare," he said.