SF Chronicle: Personal data lost -- again

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ari Ollikainen <Ari () OLTECO com>
Date: July 6, 2005 3:53:25 PM EDT
To: David Farber <dave () farber net>
Subject: SF Chronicle: Personal data lost -- again


    For IP... Iron Mountain, "a leading data storage firm", lost
    two back-up tapes. Interesting delay in informing customers
    as required by California law

Personal data lost -- again
- David Lazarus
Wednesday, July 6, 2005

Today I bring news of yet another security breach involving
potentially thousands of people's personal info, and this is the
first anyone's hearing of it.

The latest company to drop the data ball is City National Bank, based
in Los Angeles and one of the largest independent financial
institutions in California.

City National, which specializes in high-end clients, became a player
in Northern California when it acquired San Francisco's Pacific Bank
in 2000. It has 52 offices statewide and about $14 billion in assets.

As is increasingly the norm for letters notifying people of data
mishaps, City National's missive, dated June 21, is decidedly short
on facts. (And the facts in this case, as you'll see, are troubling
indeed.)

"City National utilizes outside computer resources to ensure premier
service to you," the bank's letter says.

"Recently we learned that a leading data storage firm employed by one
of these computer service suppliers lost two back-up tapes containing
City National data during transport to a secure storage facility.
Social Security numbers and account numbers were on these tapes."

The letter adds that "there is no evidence whatsoever that this data
has been compromised or mis-used, nor do we believe it will be."

City National is apparently basing this belief on the fact that the
boxes containing the tapes didn't have the bank's name on them and
because the data is hard to access without "highly specialized
skills, specific software and sophisticated equipment."

The letter says City National apologizes for "any inconvenience or
concern" but is confident that notifying customers about the incident
"is the right thing to do."

OK, let's begin.

First off, notifying California consumers of a data security breach
isn't merely "the right thing to do." It's the law. And it's because
of the state's disclosure law that so many other similar cases have
come to light in recent months.

Second, identity theft is the fastest-growing crime in the country,
affecting, according to federal officials, about 10 million people a
year.

It's therefore not much of a stretch to think that would-be ID
thieves might have access to highly specialized skills, specific
software and sophisticated equipment.

Finally, a close reading of City National's letter indicates that the
bank's data was outsourced at least twice. First the info was handed
to an unspecified "computer service supplier" that was performing
some unspecified task.

Then it was given to an unspecified data storage firm, which
apparently lost track of the computer tapes on some unspecified date
at some unspecified location under unspecified circumstances.

Tapes lost or destroyed

Linda Mueller, a City National spokeswoman, declined to discuss
specifics of the lost data.

She said only that "federal law enforcement and the bank's own
security team have completed extensive investigations, and they are
confident that the tapes were lost or destroyed."

When I told her what I'd learned about the case from my own digging,
Mueller confirmed that the incident happened in late April and that
the data- storage firm involved is Iron Mountain.

Iron Mountain casts a long shadow over the little-known world of
corporate data storage. The company has more than 235,000 clients
worldwide, including about three-quarters of the Fortune 1000.

In March, Iron Mountain lost computer tapes containing personal info
for about 600,000 current and former Time Warner employees, the two
companies have acknowledged.

A month earlier, discount broker Ameritrade discovered that it had
lost computer tapes containing data for about 200,000 customers. A
couple of months before that, Bank of America found that it had lost
tapes containing more than a million federal workers' account info.

It's unclear whether either of these other incidents involved Iron
Mountain. The data-storage firm doesn't comment on individual
clients, and neither Ameritrade nor BofA has disclosed where the info
was to be held.

On April 21, however, Iron Mountain issued an unusual statement
admitting that the company has experienced "four events of human
error" since the beginning of the year.

Melissa Burman, an Iron Mountain spokeswoman, told me that the
purpose of the April 21 statement was to encourage clients to be more
diligent in encrypting data before turning it over for storage.

"We do 5 million pickups and deliveries a year," she said. "Only a
very small percentage are unsuccessful, but, statistically speaking,
this will keep happening. It's impossible to get to perfection, no
matter how hard we try."

Burman agreed with City National's assessment that accessing data on
backup tapes can be difficult for people lacking technical resources.
But she observed that identity thieves are becoming increasingly
sophisticated.

Encryption is important

"That's why companies need to encrypt before data leave their
domain," Burman said. "It would be near impossible to access if
encrypted."

City National's Mueller declined to say whether the bank's tapes were
encrypted.

"We don't talk about security precautions," she said, "but we can
tell you that information on these tapes would be very difficult to
access."

Since its founding in 1954, City National has focused on meeting the
needs of wealthy customers. The bank boasts that it manages accounts
for "some of the most affluent individuals and successful business
executives in the West."

So why did it take about two months for City National to send out its
state-mandated letters notifying customers of the lost data?

"We notified our clients as soon as we fully understood the details
of what happened and the risk to our clients," Mueller said.

"We moved as quickly and thoughtfully as we could," she added, "but
we also were determined not to do anything that would impede the
investigations or alarm our clients unnecessarily."

Now they can be alarmed for good reason.

David Lazarus' column appears Wednesdays, Fridays and Sundays. He
also can be seen regularly on KTVU's "Mornings on 2." Send tips or
feedback to dlazarus () sfchronicle com.

Page C - 1
URL: http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/07/06/ 
BUG0TDJBN01.DTL
--

            +------------------------------------------------------+
            |If the lessons of history teach us anything it is that|
            |nobody learns the lessons that history teaches us.    |
            +------------------------------------------------------+



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/