Bank Data Tape With No File Encryption Lost: Wells Fargo Customers Affected.

At least, I’m assuming that file encryption was not used based on the article I’m reading at codyenterprise.com.  A computer data tape which contained sensitive customer information like names, addresses, Social Security numbers, and bank account numbers was reported as lost by Wells Fargo.  Specifically, the Shoshone First Bank in Cody and Powell; Jackson State Bank & Trust; Sheridan State Bank; First State Bank of Pinedale; and United Bank of Idaho in Driggs, as listed in the article.


 


According to Shoshone First Bank executive vice president Ross, the tape was being transported from one bank to another, and when the staff arrived at “the site” they noticed that the tape was missing.  He also mentioned that it can “definitely [be said] this wasn’t a theft” and that the information would be difficult—but he did not say impossible—to access because special equipment is necessary.  As he noted, “you can’t just plug this into a computer and run it.”


 


This is true.  I mean, you can’t just dump a DVD into a computer; it has to have a DVD drive.  If you have a CD drive, which happens to look exactly like a DVD drive (and to some, like a cupholder), that DVD is still no good; you have to have a device that can read the data.  This is just common sense.  Likewise, a data tape needs a tape drive; this, too, is common sense.  Now, the question is whether such equipment is freely available for purchase, and whether the bank uses an off?the?shelf solution for reading and writing data to tapes.  But, the truth is that as long as data encryption is not used, sensitive data is not really safe.  A person with the right skills can do more than glean the data from an unprotected file.


 


Which brings us to the assertion that this incident is not an act of theft.  I mean, it’s obvious that the staff who were carrying this tape were not robbed blindly during daylight.  Otherwise, they couldn’t claim that they “lost” a tape.


 


On the other hand, it’s pretty apparent they have no idea how they lost it: they could have left it on a bank executive’s desk or somebody could have lifted it off them.  The former can be considered “losing” a tape; the latter is clearly theft.  Just because someone hasn’t had to face the wrong end of a gun or knife; or that windows weren’t broken; or other acts of violence associated with a mugging or burglary haven’t happened in this case doesn’t mean that one can claim, unequivocally, that thieves weren’t after the data.


 


How many customers were affected?  The bank’s not releasing that information due to pending investigations.  Personally, I think it’s smart that the bank didn’t release the details upfront.  If the number is significant, it might be an additional impetus for getting data off the tape—assuming someone did decide to actively steal it.


 


What banks may want to do is use a data encryption solution like AlertBoot to secure sensitive information.  This way, one can steer the conversation from “well, it’s kinda hard to access the information, so you should be okay” to “your information has been encrypted with a 128?bit encryption key.  It’d take the thief 200 years to get to that information. You will be okay.”

 

Related Articles:


http://www.codyenterprise.com/articles/2008/08/20/news/news4.txt



Comments (0)


Let us know what you think