Barely a week goes by these days without a major company losing some backup tapes and with it confidential customer or employee information -- or both.
The latest incident involves Iron Mountain Inc., one of the first companies to introduce off-site data protection and electronic vaulting services.
Time Warner Inc. reported Monday that data on 600,000 current and former employees stored on 40 backup tapes was lost in transit by Iron Mountain.
A spokeswoman for Time Warner said that none of its customers have been affected, but tapes containing the names and social security details of its employees, dating back to 1986, are missing. So far, there have been no reports of any fraud associated with the security breach.
"The driver was performing a routine scheduled pickup in New York and continued on his rounds to 18 other customers when he reached our facility in New Jersey he recognized we had a missing container of tapes," said a spokeswoman for Iron Mountain.
She admitted that the company has lost four sets of customer backup tapes this year, but noted that this is a small percentage of the five million or so trips that Iron Mountain makes a year. With the increased regulations around data security, Iron Mountain is recommending that its customers evaluate encryption for backup tapes that are taken off site.
"As long as there are humans involved, we are never going to get to perfection so customers need to close the loop," the spokeswoman said. A source close to Iron Mountain said that the truck was stolen when the driver stopped to get coffee. Iron Mountain denied this.
The Time Warner breach comes just weeks after Bank of America reported lost backup tapes containing the financial information of more than 1.2 million federal employees, including 60 U.S. senators. And last week, trading firm Ameritrade acknowledged that backup tapes containing information on about 200,000 of its customers had been lost in transit. The financial firm is revising its backup policies and, in the interim, has halted all movement of backup tapes, a spokesperson said.
It's no surprise then, that companies selling products that encrypt data on disks and tapes, including Decru Inc., NeoScale Systems Inc. and Vormetric Inc., are being inundated with phone calls.
However, using encryption to protect stored data isn't easy, according to Judith Hurwitz, president of Hurwitz & Associates in Cambridge, Mass. The process can involve substantial changes in the way data is stored, accessed and backed up, she said. Large-scale encryption can also change how applications interact with one another. And the management and administration of encryption keys can be another issue.
Hurwitz adds that half the problems associated with security breaches today have to do with "people and processes" as much as technology. "The processes involved in managing physical resources, the checks and balances and best practices are missing from most companies, and no amount of encryption can fix this," she said.
Others argue that there's no need for tapes to be physically transported when technology is available (backup to remote disk via virtual tape technology) to electronically transmit the data to a vaulting company like Iron Mountain, and then make the tape locally.
Legal Services New York (LSNY), a not-for-profit provider of legal services to low income New Yorkers, uses NSI Software Inc.'s DoubleTake replication software to backup all its data centrally. "We wouldn't trust anyone else with our data and if we did, it would have to be encrypted," said John Greiner, chief technology officer of LSNY.