overview
networks
tapes
laptops
sale
law
prevention
responses
related
Guides:
Security &
InfoCrime
Consumers
& Trust
related
Profiles
& Notes:
ID Theft,
ID Fraud
|
tapes, disks and sticks
This page highlights recent examples of exposure of personal
information through loss of computer tapes or disks or
memory sticks, including misplacement or theft during
shipping.
It covers -
introduction
Media coverage of the net has led many people to believe
that media such as computer tapes and disks are no longer
used for transporting and archiving large volumes of data,
presumably having been replaced by the net or by secure
private networks. In fact substantial volumes of information
still travel by physical media and and are copied onto
tape or disk for remote storage.
It is clear that the protocols used by some organisations
and individuals for safeguarding that information are
defective. Some organisations have sought to minimise
costs by using standard transport arrangements, despite
criticisms that items get misplaced by couriers and airlines
or pocketed by transport personnel (eg baggage handlers).
Inadequacies in transport become of particular concern
when the data custodians have failed, through for example
a poor assessment of risks, to restrict access to media
that do go astray. Finance industry figures have commented
that particular organisations did not encrypt major data
collections because that would involve delays or otherwise
require additional expenditure.
BoA and IBM 2004
In 2004 the Bank of America lost unencrypted tapes with account information on 1.2 million
US federal employee credit cards, including US senators. The tapes went missing during shipment across the US to a remote site.
The bank commented that
we,
with federal law authorities, have done a very robust,
thorough investigation on this and neither we nor they
would make the statement lightly that we believe those
tapes to be lost
One
of the crueller referred to that as the Mandy Rice-Davies
excuse, commenting "they would say that, wouldn't
they".
IBM
Canada lost Alberta government pension tapes and fiche
in 2005. The incident is interesting not for the size
of the exposure -
the tapes held data about 77 pension refund cheques -
but for the cavalier way the loss was handled.
The Alberta Information & Privacy Commissioner notes
that there was no tracking of computer tape shipments
between IBM and its agent, no tracking of delivery of
microfiche from that agent to IBM, and that IBM waited
two months before disclosing the breach.
Iron Mountain and Ameritrade
2005
Unencrypted personal data on 600,000 current and former
Time Warner employees from 1986 onwards went missing during
shipment to the Iron Mountain data repository
During the same year Ameritrade "misplaced"
some 200,000 customer records on a lost backup tape in
transit.
Citigroup and City National
2005
Tapes holding 3.9 million unencrypted consumer records
of active and closed accounts went missing during shipment
by UPS from CitiFinancial to credit reference agency.
CitiFinancial apologised, commented it "has no reason
to believe that the information has been used inappropriately",
offered customers free enrollment in a credit-monitoring
service for 90 days (although critics note that the average
time for victims to become aware of the theft is 12 months,
with a further 175 hours and US$808 out-of-pocket expenses
spent clearing their names) and announced that it has
stopped delivering computer tapes by courier.
Los Angeles-based City National announced in 2005 that
it had lost two backup tapes. Those tapes went missing
in transit to a secure repository. It is unclear whether
they ended up as landfill, as streamers for a children's
party or something misused by criminals.
Marriott 2005
Marriott Vacation Club, the timeshare unit of Marriott
International, announced that personal data (including
Social Security numbers, bank and credit card numbers)
for over 206,000 employees, timeshare owners and timeshare
customers featured on backup computer tapes that "went
missing" from the group's Florida office.
It announced plans "to search for the tapes, to determine
how they disappeared and monitor accounts for any unusual
activity or possible misuse" and commented
We
regret this situation has occurred and realize this
may cause concern for our associates and customers.
Deloittes
2006
The UK Register reported that a Deloitte &
Touche CD containing information on around 9,000 McAfee
personnel was left in an aircraft seat pocket, exposing
social security numbers and other information about those
employees.
In Australia an army officer merely left a CD in a machine
in the executive lounge of Melbourne airport. That disk
contained a confidential report regarding the controversial
death of an Australian serviceman in Iraq, strengthening
criticism after the government somehow returned another
person's body to the serviceman's family.
AHTCC 2006
Just as embarrassingly, details of 3500 Australian customers
from 18 banks, including names and account numbers, featured
on a memory stick lost by a representative of the Australian
High Tech Crime Centre during transit to an international
meeting on phishing in April 2005.
The information formed part of a classified dossier on
Russian mafia internet scams. Loss of the stick sparked
an "exhaustive" but unsuccessful search by Australian
Federal Police of hotels and airports in Sydney, Singapore
and London. The AHTCC did not inform the bank customers
(who had already fallen victim by providing details in
response to bogus email requests) and reportedly persuaded
the banks not to alert those people, arguing that publicity
would alert new criminals to the stick's existence.
A few months later dossiers, a list of corruption operation
names and computer disks relating to police corruption
investigations werewere stolen from an unattended Office
of Police Integrity car in East Melbourne. They were recovered
later the same day.
next page (laptops)
|
|
