Here is a breaking news story from the Wall Street Journal this morning.
Bank of America Corp. said it lost computer backup tapes containing personal information such as names and Social Security numbers on about 1.2 million federal-government charge cards.
At least this story is getting publicized. A well known incident (at least to industry insiders) is the similar episode experienced by one of the major credit card organizations. Back up tapes with *all* credit card info were shipped every night from the east coast data center to the west coast data center. One day the box of tapes did not show up on the luggage carousal at its destination. Oops! When senior management asked what was on those tapes? The answer:
Do you realize what those tapes could mean to the right people? Maybe billions of dollars. At a minimum the cost of notifying every cardholder could be in the tens of millions. The cost of re-issuing credit cards is around $80 each I have heard. Multiply that by a couple of hundred million. Ouch!
Encryption is easy. Use PGP, use Blowfish, use rot13 for crying out loud. Talk to Entrust. Anything to keep data out of the wrong hands.
I cannot understand why tape drives don’t just encrypt. One key per tape drive. Need to restore a tape? Check what tape drive it came from, type in it’s key and presto! Force the bad guys to steal the tape drive too.
But please, please, look at your data back-up and recovery procedures today. If you back up data that includes personally identifiable information, financials, sales records, whatever, you have to encrypt it.
Originally published at www.threatchaos.com