Last week, I talked about the hack of Paris Hilton's T-Mobile system and the subsequent, uh, exposure of much of her personal data on the Internet. The hack of the T-Mobile system took a bit
of intelligence, some skull work, and no doubt a bit of elbow grease. You can almost respect the person or persons who committed
this act, as heinous as it is.
It's a little more difficult, then, to figure out last month's Bank of America and ChoicePoint security shortcomings. In the Bank of America incident, one of the nation's largest financial institutions lost a small number
of computer data tapes during shipment to a backup datacenter. The missing tapes contained critical and highly secure data,
including some of the U.S. federal government charge card program's customer and account information.
In its official Homer Simpson "D'oh" statement -- I mean, crisis communications statement -- Bank of America said, “Federal law enforcement officials were immediately
engaged when the tapes were discovered missing, and subsequently conducted a thorough investigation into the matter, working
closely with Bank of America. The investigation to date has found no evidence to suggest the tapes or their content have been
accessed or misused, and the tapes are now presumed lost."
Bank of America is continuing to monitor the accounts for any unusual activity since the incident occurred sometime late last
year.
In the case of ChoicePoint, the large data warehouse vendor disclosed that its data banks had been compromised and thieves
had bought the identities of people listed in ChoicePoint's records. Again, the data loss was not due to some teenage hacking
genius, but good ol' fashioned fraud.
ChoicePoint warehouses personal data, including Social Security numbers, birth certificates, death certificates, insurance
reports, marriage and divorce reports, and other personal information. It has about 19 billion "public" records on file.
Jim Stickly, CTO at TraceSecurity, a security products and services company, had some pretty hot opinions on the matter. He
said the two incidents illustrate how identity theft has become an epidemic.
"Most Americans don't realize how poorly their private financial information is protected. Their information is stored on
computer hard disks and tapes by the numerous trustees of this data -- including banks, brokerages, insurance companies, credit
card companies, mortgage companies, and credit rating agencies," Stickly explains. "Unfortunately, most of these trustees
implement archaic data privacy practices that haven't kept pace with rapid technological changes."
"For example, most corporate data is stored on hard disks or tape drives in clear plain text, unencrypted, which means that
the data is easily accessed by unauthorized persons. The data is especially vulnerable to social engineering exploits, which
is when a criminal gains unauthorized access to data via subterfuge, such as gaining access to a tape backup room by posing
as a janitor, fire marshal, or an air conditioning technician," Stickly says.
For companies such as AmeriVault, the problems of Bank of America point to a problem in using standard tape and data backup
solutions. AmeriVault provides disk-to-disk data protection and recovery services, such as online data backup, e-mail archiving,
and data replication.
"Companies are very comfortable with their standard tape and data backup solutions, but they don't often see that there can
be some big issues with doing business that way," says Bud Stoddard, president and CEO of AmeriVault. "Companies need to consider
whether using tape media is the most appropriate way to transfer highly sensitive data. This [Bank of America] incident was
widely reported, but there are plenty of other incidents that are never reported," he says.
Thankfully, that may be changing. States such as California are requiring companies to notify customers when their personal
data has been compromised. Other suggestions from security analysts include using tracking devices to monitor the transportation
of tapes throughout the logistics chain and considering whether encryption should be used to protect tape contents.
Here are a couple of other suggestions: For individuals, watch your own back. For corporations, consider quoting Homer Simpson
when telling consumers their information has been compromised: A simple "d'oh" should be sufficient.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
