Privacy experts vexed over bank's missing data mishap

[David Farber <dave () farber net>]

http://searchdatacenter.techtarget.com/originalContent/0,289142,sid80_gci106
3790,00.html

Privacy experts vexed over bank's missing data mishap

 By Matt Stansberry, News Editor
 02 Mar 2005 | SearchDataCenter.com

  SOUND OFF! Post your comments

 


Bank of America has become the poster child for how not to transport data.

Over the weekend, the Charlotte, N.C.-based financial institution announced
it had lost backup tapes containing the personal and financial information
of 1.2 million customers. The missing tapes contained U.S. federal
government charge account information -- and the personal information of
federal employees and U.S. senators.

No unusual activity in the missing accounts has been observed to date,
according to Bank of America. But news outlets have reported that the bank
has admitted to not encrypting the tapes.

People tend to never do anything until they're burned. We haven't had a true
disaster, an IT tsunami, so no one thinks it is worth spending the money to
protect themselves.
 Peter G. Neumann
 principal scientist, SRI International

 
The incident has raised concerns about why this data was not encrypted, and
has forced data center managers to reconsider their backup practices.

According to David Farber, a professor of computer science and public policy
at Carnegie Mellon University, it is not uncommon for organizations to ship
unencrypted tapes and assume they are safe.

"You would think people would learn," said Farber, an outspoken privacy
advocate. "It is such an easy thing to encrypt them. Before you write the
tape, you encrypt the data. When you get to the other end, you unscramble
it. Many of the things you archive, you don't care about. But when it comes
to personal information, encryption is important. Tapes could be lost,
misrouted, stolen -- anything."

Companies that operate this way are extremely vulnerable, according to
Farber.

"Seems to me, any company that ships sensitive data without encryption
should be hung out to dry," he said. "Bank of America has been shipping
tapes like this for a long time, and they've probably never reported much
loss. If it hadn't been for the recent T-Mobile and ChoicePoint stories
recently, I doubt anyone would have reported on it.

"With a big data center network like Bank of America's, the data center
manager should have been able to encrypt the data on his own," Farber said.
"In fact, the program they used to make the tapes probably could have
encrypted the data."

 Peter G. Neumann, principal scientist at SRI International in Menlo Park,
Calif., agrees. Encryption should be the first line of defense. According to
Neumann, the precaution probably never seemed important to bank officials.

"People tend to never do anything until they're burned," Neumann said. "We
haven't had a true disaster, an IT tsunami, so no one thinks it is worth
spending the money to protect themselves."

Neumann also questioned the bank's methodology.

"Why ship a couple of tapes on an airplane? In this day and age you should
be able to send them over the Internet if you're careful, or high-speed
phone lines and satellite communications," Neumann said.

While privacy is a huge problem and encryption should be mandatory for
personal information, technology was only half of the problem. How were the
tapes lost? And who is responsible?

According to Austin Hill, president of Montreal-based Zero-Knowledge Systems
Inc., data center managers need to mitigate their risk in people as well.

"You need to have governance in place, checks and balances to manage
vendors, partners, storage providers and shipping companies," Hill said. "If
you're using a third-party data storage company, do you have a system in
place to let people know that your data security standards have changed?

"Lawyers shipping memos to IT people is not an example of good governance.
There is a real organizational process that needs to take hold," Hill said.

Even when your encryption is in place and your line of communications is
operational, that may not be enough.

"The next level is to audit your encryption," Hill said.

According to Bank of America spokeswoman Alexandra Trower, the bank is not
providing details of how it plans to secure customer data in the future
because of security concerns.

Let us know what you think about the story; e-mail: Matt Stansberry, News
Editor


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/