Software is just one component of security: Citigroup's lost tapes

Software is just one component of security: Citigroup's lost tapes

Summary: Here's an important lesson for everyone, whether you run Linux, Solaris, Windows, OpenBSD, Mac OS X, or MS-DOS -- your customers' data isn't very secure when tapes carrying sensitive customer data go missing in transit. [Editor's note: Last month, tapes carrying personal information of 600,000 Time Warner employees were also lost in transit.

SHARE:
TOPICS: Security
3

Here's an important lesson for everyone, whether you run Linux, Solaris, Windows, OpenBSD, Mac OS X, or MS-DOS -- your customers' data isn't very secure when tapes carrying sensitive customer data go missing in transit. [Editor's note: Last month, tapes carrying personal information of 600,000 Time Warner employees were also lost in transit. In February, more than one million Bank of America customer records were losing during shipment to a backup center.]

In this particular case, one wonders whether transporting physical media is the best way to transfer sensitive customer data from Citigroup to Experian. It certainly makes one wonder to find out that the tapes had been shipped on May 2, and it wasn't noticed that they'd gone missing until May 20. Citigroup'sKevin Kessinger said that they were moving the tapes using " an enhanced security procedure we specified and developed with (UPS)," but what about procedures on Citigroup's end to track and follow up on the package? 

Since Citigroup is a large company, and 3.9 million customers' data is a staggering figure, their security boo-boo is bound to get attention. However, I suspect this happens on a much smaller scale every day in companies all around the world. Many companies spend a lot of time and money on computer security, and then fail to have good processes for moving backups off site, authenticating customers or disposing of used computers.

This should serve a strong reminder: You can run any OS you like, apply every patch as soon as it comes out, enforce ridiculously strong passwords, keep your firewalls well-configured, and so forth. It all falls down when an organization has poor physical security or poor security processes. Next time your organization does a security audit, make sure to touch on all aspects of handling data, from the server room, to customer service and all the way to the front door -- and beyond, if necessary.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Until their ridiculous arses get sued, nothing happens...

    There needs to be liability AND visibility. It's almost like they work WITH the criminal element.
    ordaj@...
  • Don't worry, they've got it covered

    http://www.citigroup.com/citigroup/press/2005/data/050606a.pdf

    "We have no reason to believe that this information has been used inappropriately and
    we have not received any reports of unauthorized activity" - but keep looking over your shoulder, just in case.

    "we initiated an investigation of this incident as soon as we were made aware of it" - but like the author said, why didn't we check to see it had arrived, instead of waiting to be told it didn't?

    "Beginning next month the information we provide to credit bureaus will be sent via direct
    encrypted electronic transmission." - smart. Too bad we didn't think of it earlier.

    "Second, CitiFinancial has arranged for you, at your option, to enroll in a credit
    monitoring service at no cost to you for the next 90 days." - We're sure those bad guys will lose interest in a measly 3.9M individuals after just a few days. It'll long be played out before 90 days rolls by.

    "prior to this incident, we had already enrolled you in Citi? Identity Theft
    Solutions, a free service from CitiFinancial, to help protect you from identity theft." - And who better to help watch for problems than the guys who caused the problems, right?
    ejhonda
  • Maybe the truck had the Windows XP logo on the side..

    So whoever took it knew it was an easy target?

    LOL..
    Xunil_Sierutuf