BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

fringe: 'Erased' personel data on agency tapes can be retrieved, company says

From: security curmudgeon <jericho () attrition org>
Date: Thu, 24 Jan 2008 17:09:55 +0000 (UTC)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.govexec.com/dailyfed/0108/012308j2.htm

By Jill R. Aitoro
Govexec.com
January 23, 2008

Personal and sensitive government data -- including employees' personal 
data -- on magnetic tapes that federal agencies erase and later sell can 
be retrieved using simple technology, according to an investigation 
conducted by a storage tape manufacturer.

The findings contradict a report released by the Government Accountability 
Office last year that concluded such data was irretrievable.

  From March through August 2007, GAO investigated if data could be 
retrieved from used magnetic tapes that federal agencies sell to 
commercial tape companies in the United States. Magnetic tapes are widely 
used by federal agencies, particularly for backing up data stored on large 
systems in the event of a disaster or system failure. The sample of tapes 
that GAO obtained came from such agencies as the Federal Reserve Bank, the 
Air Force and the National Oceanic and Atmospheric Administration.

According to its September 2007 report (GAO-07-1233R) [1], GAO concluded 
it could not find "any comprehensible data on any of the tapes using 
standard commercially available equipment and data recovery techniques, 
specialized diagnostic equipment, custom programming or forensic 
analysis."

Selling used magnetic tapes is not illegal, GAO pointed out, and if 
agencies follow guidelines set by the National Institute of Standards and 
Technology for erasing all data, the risk of theft is low. "Based on the 
limited scope of work we performed, we conclude that the selling of used 
magnetic tapes by the government represents a low security risk, 
especially if government agencies comply with NIST guidelines in 
sanitizing their tapes," GAO concluded. "Even if some data were 
recoverable from some tape formats that had been overwritten to preserve 
their servo tracks, the data may not be complete or even decipherable."

[..]
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: