[Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)

security curmudgeon jericho at attrition.org
Fri Jun 6 20:06:01 UTC 2008

: Let's say we do look at the commercial carrier, and the carrier offers 
: insurance against loss and the customer either chooses the insurance or 
: waives the insurance, most commercial carriers will make insurance 
: available, offered with disclosure that if a package's worth is more 
: than insurance will cover the carrier can refuse to carry the package, 
: based on what the customer has disclosed.  Interesting....

Which leads to, what did BNY (or others) claim the backup tapes were 
worth =)

Even if you go with a conservative estimate that one 'identity' is worth 
less than 20 bucks (recently stated in a paper), that is still a lot of 
money if the tapes have a million records. I really doubt BNY is 
declaring the tapes worth that much.

So we have a system of couriers, off-site storage and backup providers 
that seem to be a serious weak point in the data security. Taking this 
one step farther, what if the tape *is* encrypted using really strong 
encryption and the tape is lost. Does the company have to warn customers?

If not, will that lead to companies claiming strong encryption 
regardless, knowing that the odds of the unencrypted tape being 
discovered is very low, then falling back on "error in backup process, it 
should have been encrypted" claims?

More information about the Dataloss mailing list