Software is just one component of security: Citigroup's lost tapes

Summary:Here's an important lesson for everyone, whether you run Linux, Solaris, Windows, OpenBSD, Mac OS X, or MS-DOS -- your customers' data isn't very secure when tapes carrying sensitive customer data go missing in transit. [Editor's note: Last month, tapes carrying personal information of 600,000 Time Warner employees were also lost in transit.

Here's an important lesson for everyone, whether you run Linux, Solaris, Windows, OpenBSD, Mac OS X, or MS-DOS -- your customers' data isn't very secure when tapes carrying sensitive customer data go missing in transit. [Editor's note: Last month, tapes carrying personal information of 600,000 Time Warner employees were also lost in transit. In February, more than one million Bank of America customer records were losing during shipment to a backup center.]

In this particular case, one wonders whether transporting physical media is the best way to transfer sensitive customer data from Citigroup to Experian. It certainly makes one wonder to find out that the tapes had been shipped on May 2, and it wasn't noticed that they'd gone missing until May 20. Citigroup'sKevin Kessinger said that they were moving the tapes using " an enhanced security procedure we specified and developed with (UPS)," but what about procedures on Citigroup's end to track and follow up on the package? 

Since Citigroup is a large company, and 3.9 million customers' data is a staggering figure, their security boo-boo is bound to get attention. However, I suspect this happens on a much smaller scale every day in companies all around the world. Many companies spend a lot of time and money on computer security, and then fail to have good processes for moving backups off site, authenticating customers or disposing of used computers.

This should serve a strong reminder: You can run any OS you like, apply every patch as soon as it comes out, enforce ridiculously strong passwords, keep your firewalls well-configured, and so forth. It all falls down when an organization has poor physical security or poor security processes. Next time your organization does a security audit, make sure to touch on all aspects of handling data, from the server room, to customer service and all the way to the front door -- and beyond, if necessary.

Topics: Security

About

Joe 'Zonker' Brockmeier is the community manager for openSUSE, a community Linux distro sponsored by Novell. Prior to joining Novell, Brockmeier worked as a technology journalist primarily covering the Linux and FOSS beat, and wrote for a number of publications, such as Linux Magazine, Linux.com, Sys Admin, UnixReview.com, IBM developer... Full Bio

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.