Another storage security misadventure

Marriott Vacation Club's woes reinforce a familiar lesson: Secure your backup tapes!

Now that it's the first week of January, I probably should be looking at the storage excitement that 2006 has already brought us, such as what's happening at Storage Decision and CES in Las Vegas. But 2005 went out with a bang that's impossible to ignore.

The bang I'm referring to is not from the traditional year-end fireworks (I wish), but from the latest shocking news in storage security -- or rather the lack thereof. As you may have heard, one of the Marriott companies, Vacation Club International, admitted just before year's end that it had lost track of backup tapes containing sensitive data of more than 200,000 customers.

It's only fair to clarify that according to the company press release, only those customers involved in Marriott's timeshare vacation program should be affected by a possible disclosure. So if you happened to be only a hotel guest, your personal data should not be at risk.

I refer to this as a "possible disclosure," because thieves rarely leave a note about their actions, and a month-long investigation didn't reach any conclusive evidence that the tapes were stolen or data on them misused.

For its part, Marriott is still suggesting that the tapes could simply be lost, and noting that the tapes "require specialized equipment to access content." The company is taking predictable damage-control steps, including sending notes and offering complimentary credit-monitoring service to affected customers, and promising that measures have been taken so that similar mishaps won't happen again. Yeah, yeah, yeah… we've heard that before.

Doesn't this have the sound and feel of a recurring nightmare? How many more embarrassing news articles will we see before everyone realizes that putting sensitive customer data on unprotected media (were those tapes encrypted?) is a no-no?

If you acknowledge the problem and are looking for backup security alternatives, fret not: My inbox is full of advice (especially in the wake of similar incidents) on how to remove or reduce the risk of data disclosure from tapes.

Avamar Technologies, for example, suggests that you can eliminate tapes from your backup procedures using its line of Axion  products to cover every aspect of data protection. Or you can look at the services offered by companies such as Arsenal Digital Solutions , and transfer data between your datacenters and a remote vault safely and elegantly via high-speed connections.

These are just two examples of the many data protection options that don't necessarily rely on the tape-backup paradigm. That's not to say tape backups should be eliminated; they're still a respectable, if antiquated, approach but should not be used as a panacea for every data protection need -- especially when your customers' personal information is at risk.

Perhaps it's not too late to make a resolution for 2006: If you are involved in your company's data backups and reading about the Marriott misadventure sent a shiver down your spine, promise to review your approach to data protection ASAP.

Your customers and your company will be grateful. Drive your data safely.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies