The loss of a backup tape from the Bank of New York Mellon is making the rounds on the internet. According to a press release by the Connecticut AG’s office, the backup tape was lost by the storage company that was in charge of keeping the tapes safe, Archive Systems, Inc., not by the bank itself. It’s one of those instances when one hopes that full disk encryption was applied to the tape.
But the data on the tape was not encrypted, and this may mean that hundreds of thousands of CT residents—and possibly millions more in other states—could be affected by this loss. What’s surprising to me about this press release, though, is not the scope and size of the data breach; we’ve certainly had bigger and broader before. Rather, it’s the sense of urgency and risk that is conveyed by the AG. From the press release quoting CT Attorney General Richard Blumenthal (http://www.ct.gov/ag/cwp/view.asp?Q=416000&A=2795):
I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon (‘BNY’) involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers… This security breach seems highly dangerous, indeed possibly devastating in light of the identity theft threat.
It only seems like yesterday that the loss of backup tapes would be poo?pooed as a non?issue, since “special equipment” and “highly specialized knowledge” and “special software” would have been required to access the data. Granted, it was the people who lost the tapes issuing such press releases, so it was to be expected. But it was for naught, since in most cases the “words of comfort” seemed to ring hollow, at least to me.
Oh, there were cases where the words rang true, like when certain government branches had custom?built systems which included both proprietary hardware and software. But even then, the tapes were probably off?the?shelf products, which implies commercially?available hardware would take those tapes as well. So, one had to rely on the obscurity of the software to mask (and thus, protect) the data. But even then, if the software saves the data as plain text files, there is no guarantee of an information breach, as I’m fond of pointing out.
I guess one way to interpret the AG’s comments above is that people have gotten wise to the fact that only encryption solutions like AlertBoot can offer real data security in the event of data loss. It’s not surprising, though, that one would arrive to this conclusion. If the past year has shown me anything, it’s that criminals can pretty much overcome any obstacle except encryption.