Whoops! We Seem to Have Misplaced Your Identity

May 8, 2005

By Randall Stross

http://www.nytimes.com/2005/05/08/business/08digi.html



THE diesel-powered utility van is the unappreciated speed demon of the digital age. Even lumbering along city streets in stop-and-go traffic, it can move a trillion bytes of corporate data across town far faster than if they were sent across the Internet.

The homely Ford Econoline 350 is the workhorse of Iron Mountain, the dominating presence in the off-site data protection business. Its customers include more than three-fourths of Fortune 500 companies, and it had revenue of $1.82 billion last year, earned largely out of public sight as its unmarked vans shuttled among the back-office operations of its clients.

Last week, however, Iron Mountain lost the luxury of going about its rounds invisibly. Time Warner, one of its clients, disclosed that personal information - including names and Social Security numbers for 600,000 current and former employees - had gone missing six weeks earlier while in the care of an unnamed "leader in data storage."

The data had been, in fact, in an Iron Mountain van, and the few details about the incident that it and Time Warner have grudgingly divulged - such as the fact that the pick-up at Time Warner was 1 of 19 the van made bouncing around Manhattan on the fateful day - raise all sorts of questions.

To begin with, why would such sensitive information be handled less like a guard-this-with-your-life briefcase entrusted to Brinks than like a fungible bundle handed to the Dy-Dee Diaper Service? Why was the data unencrypted? And why were trucks involved at all?

Why wasn't the backup done via a secure online connection, an option that Iron Mountain offers as well as physical pickup? Why doesn't Iron Mountain eliminate the risk of midroute problems and retire its fleet of Econolines?

Time Warner blamed Iron Mountain for the potential breach of confidential employee information and would say nothing more about the event. Its tapes were last seen on Iron Mountain's vans, so its position is that it's Iron Mountain's responsibility; end of discussion.

Iron Mountain, for its part, gallantly declined to take Time Warner to task. It could have done so by saying how foolish Time Warner had been to send out sensitive personnel files in unencrypted form. Then again, Iron Mountain itself had failed to advise clients to encrypt files until April 21, when it issued a press release on the subject. This was too late to help Time Warner, whose tapes had disappeared a month earlier.

Time Warner has now publicly vowed to floss regularly and encrypt always.

Iron Mountain has adopted a scattershot approach in its public appeal for exoneration. Disappearing tapes - what its chief executive, C. Richard Reese, calls "inadvertent disclosures" - are a rare problem: 12 instances for every five million pick-ups or deliveries. Mr. Reese said he viewed the rarity of error as exemplary.

Jim Stickley, one of the founders and the chief technical officer of Trace Security, a consulting firm based in Baton Rouge, La., is not impressed: "Imagine the Secret Service said that about presidents: 'Well, we protected most of them.' "

Another argument pressed by Iron Mountain is that it knows of no instance when the loss of tapes has "resulted in the unauthorized access of personal information." Then again, have previous problems involved tapes filled with 600,000 names and matching Social Security numbers thoughtfully left unencrypted?

Iron Mountain also takes too much comfort in the fact that the missing tapes are labeled only with a bar code. The company reasons that a thief in search of Time Warner's employees would not know which van to hit and which tapes to grab.

But why assume a crime of planning and cunning? If the tapes landed accidentally in the hands of someone, who knew someone with the technical competence to take a look at their contents - in unencrypted form, not a difficult feat - what person of ill motive would toss aside those 600,000 names and Social Security numbers?

Iron Mountain's best defense is that its reliance on trucks, which must be loaded and unloaded by all-too-fallible humans, is unavoidable for technical reasons. Online backups are not feasible for large companies, given the sheer mass of data, which has grown faster than the bandwidth of corporate Internet connections.

Illustrative numbers provided by Iron Mountain would seem to settle the question. Consider a customer with 22,500 gigabytes (22.5 terabytes) of data that need to be ready for recovery from a disaster. Compressed - and, one hopes, encrypted - these fit onto 300 backup tapes, easily transported by the Econoline.

Now consider the challenge of alternatively moving that data over the wire. Even with a pair of OC3 lines, each with 250 times the bandwidth of a home broadband connection, you would need more than 82 hours to send one set - though let's not forget that 8 to 10 hours are saved because tapes do not have to be created.

And if disaster were to strike, it would take 82 hours to send these terabytes back over the wire for restoration. That's why "we're not driving the truck out of the equation," Mr. Reese said.

THE example, however, best matches a picture in which the computing resources of the largest corporation consist of a single mainframe, all of its many terabytes of data concentrated in one place, susceptible to a single disaster.

Bud Stoddard, the chief executive of AmeriVault, a rival company based in Boston that offers online backup services, says corporate data is distributed across thousands of servers and desktops. "Disasters happen every day, but they hit a server, or a department, or a building." he said. "They do not take out an enterprise's total data set."

His company - as well as Iron Mountain - offers online disaster protection by copying data via the Internet to off-site servers. This eliminates the problem of limited bandwidth, as only incremental changes to a file, not the entire file, need to be sent. It also eliminates another potential problem: a faulty tape, discovered only when it is needed for restoration.

Because of falling storage and bandwidth costs, it's now economically feasible to prepare for disaster by going digital instead of diesel, using a secure Internet connection to make an offsite mirror image of a corporation's vital data.

And should catastrophe strike, a company need not wait hours or days for its backup data to return by wire: AmeriVault can load 500 gigabytes of backed-up data onto a portable drive, then speed it to a client. For that rare emergency, the trusty Econoline can be summoned for duty.

Had Time Warner used the Internet to back up its data, the company would not now find itself reassuring its millions of subscribers - 21.7 million on AOL alone - that only employee information was in the missing tapes.

The company has offered to the individuals listed in the database a one-year subscription to Equifax's Credit Watch service. Iron Mountain has not stepped forward to pick up the bill. It adheres to the same view as photo processors: if something goes wrong when your film is in their possession, they'll replace the film, but they take no responsibility for the lost photos.

"Under standard liability, we are not responsible for the information stored on the tape," said Melissa Burman, an Iron Mountain spokeswoman. "That's because we never know what information is stored on any particular backup tape."

But when a missing tape could expose hundreds of thousands of people to identity theft through no fault of their own, many of whom may retain lawyers happy to work on contingency, Iron Mountain and similar companies are probably glad they never know the contents.

This unfortunate event, seemingly similar to a long list of recently revealed security incidents involving other companies and organizations, should stand apart for one reason: it could have been avoided so easily. It would have been a nonevent had Time Warner encrypted its personnel files before shipping them.

Mr. Stickley of Trace Security advocates making encryption a matter of law: "The government should be stepping in and say, 'You must encrypt information that can ruin people's lives,' " he said.


main page ATTRITION feedback