Tape Glorious Tape, There’s Nothing Quite Like It

Another data loss incident… 2.2 million billing records. They were on tape, in a car, and the car was broken into - no tapes. The driver had worked for 18 years with the company - alas no more as they had violated the company’s information protection policy - they shouldn’t have taken them home, they should have gone straight to off-site storage. Tapes are great - high capacity, low cost, easy to transport, easy to store, no moving parts (when its on the shelf!), great for long term storage and still an integral part of most companies IT environment. But… also easy to lose… and often the data is stored in an open format - so you don’t need password or anything else to get at it. Far easier to steal a tape, than break into a server…

OK, so it seems cut ‘n’ dried… but… what if the driver had been in an accident and the tapes had been lost. What if the off-site storage (which is run by a 3rd party) was broken into and the tapes stolen? The company is not saying if the data was encrypted or not, but my guess is that it isn’t, so therefore either of these other scenarios could also be valid - and would result in the loss of data.

Part of developing an information security policy is to revisit processes which touch sensitive data - this includes all occasions and possibilities when it can go offsite, or is handled by a 3rd party. It has to include tape backups, CDs, DVDs, USB sticks, and any other physical copies of the data, including laptops.

The simple rule is… if is going offsite, for whatever reason, it needs to be encrypted. Full stop.

(In this case, encrypted backups should have been employed - not just for the car break-in scenario, but also the other ones as well…)

Tapes

June 30, 2008 | Filed Under Information Policy, data-loss, security 

comments

Leave a Reply