Here's an important lesson for everyone, whether you run Linux, Solaris, Windows, OpenBSD, Mac OS X, or MS-DOS -- your customers' data isn't very secure when tapes carrying sensitive customer data go missing in transit. [Editor's note: Last month, tapes carrying personal information of 600,000 Time Warner employees were also lost in transit. In February, more than one million Bank of America customer records were losing during shipment to a backup center.]
In this particular case, one wonders whether transporting physical media is the best way to transfer sensitive customer data from Citigroup to Experian. It certainly makes one wonder to find out that the tapes had been shipped on May 2, and it wasn't noticed that they'd gone missing until May 20. Citigroup'sKevin Kessinger said that they were moving the tapes using " an enhanced security procedure we specified and developed with (UPS)," but what about procedures on Citigroup's end to track and follow up on the package?
Since Citigroup is a large company, and 3.9 million customers' data is a staggering figure, their security boo-boo is bound to get attention. However, I suspect this happens on a much smaller scale every day in companies all around the world. Many companies spend a lot of time and money on computer security, and then fail to have good processes for moving backups off site, authenticating customers or disposing of used computers.
This should serve a strong reminder: You can run any OS you like, apply every patch as soon as it comes out, enforce ridiculously strong passwords, keep your firewalls well-configured, and so forth. It all falls down when an organization has poor physical security or poor security processes. Next time your organization does a security audit, make sure to touch on all aspects of handling data, from the server room, to customer service and all the way to the front door -- and beyond, if necessary.