Monday, August 28, 2006

Dear Bankers: Your Vault is Not Safe

Several high-profile examples of data tape loss during transit have put customers on alert over the risk that their confidential information may be subject to loss due to movement of backup tapes. For example, Bank of America last year was dealt a severe blow when the company admitted to losing data tapes en route to a data center. The tapes reportedly featured employee and personal information on 1.2 million federal workers.

This year’s news has been full of tape losses from Wells Fargo, Bank of America, Iron Mountain, etc. This, on top of the federal regulators hightened focus on Disaster Recovery and Business Continuity due to Katrina and other disasters, has put many financial institutions in a quandary on how to handle backups safely while still providing quick access for disaster recovery needs.

The age-old problem of 100% usable vs. 100% secure rears its ugly head again.

For years I have been telling my financial institution clients that storing your tapes in your vault, or in your sock drawer, is not an adequate recovery solution. Not to mention, it is inherently not secure. Now I am telling you that your vault isn’t secure either.

What? My vault is not secure? That’s right, it’s not. I’m going to share a true story with you now, that is so shocking, so scary, that I cannot even reveal what location this took place in. In order to protect my client’s identity, I will even have to fudge the numbers a little, but rest assured, I am rounding down!

The story starts with a bank robbery. A bank robber walked into a very remote bank branch and demanded all of the money in the teller drawers. When finished, he asked for the security videotapes. The branch manager attempted to explain, at gunpoint, that there are no security tapes and that the cameras were 100% digital.

Not being the brightest bank robber, he did not understand or believe the manager and took him to the vault. The bank robber then proceeded to steal the banks DATA tapes, thinking that they were videotapes.

Unfortunately, these tapes contained the names, addresses, social security numbers, birthdates, account numbers, and bank balances of 15,000 active bank customers, and another 8,000 inactive customers.

So your vault is not safe either. So what is the solution? You must encrypt your data at rest. Period. There are many solutions that allow for online data backup, encrypted, that allows for block level daily changes and keeps the data fully encrypted in transit and at rest. At a minimum, data tapes must not be able to be read in plaintext. We are just not in that world anymore.

In fact, if you are storing any of your non-public private information in a plaintext format, it is only a matter of time and effort before you are going to be exposed.

Technorati Tags:

1 comment:

Anonymous said...

I completely agree with you about the necessity of encryption... but apparently major companies and government agencies don't seem to care.

There have been so many data breaches lately that unencrypted files are simply not an option anymore. Same goes for unprotected email, as Starbucks and Verizon have come to find out earlier this week.

These organizations need a major reality check in all areas of security.