Does Lost Computer Tape Equate to Lost Data?

How to Define "Data Security Compromise"?

Computerworld reports that the State of Ohio spent $3 million to remedy the breach of data security resulting from loss of a backup computer storage tape. The computer tape was sitting temporarily in an intern's automobile. The tape held sensitive (unencrypted) data such as social security numbers on thousands of state employees and taxpayers. Most of the $3 million went to giving the affected individuals free credit protection service . . .

Waste of Taxpayer Money

The expenditure of $3 million to deal with this security incident is nuts. The compromise of the tape's physical security does not necessarily mean that the data on the tape had been compromised or even threatened with compromise. What's the likelihood that a thief who steals something from a car is going to possess the equipment, knowledge, talent, patience and courage necessary to read the tape, figure out how to abuse the data on it, and then undertake the risky business of actually committing identity theft? My sense is that the likelihood is very low.

The skills needed to commit successful identity theft are very different from the skills needed to make an opportunistic theft of the contents of an automobile.

Some data breaches are serious, and some are not. This one doesn't sound serious. The $3 million went down a rat hole.

Lost Backup Tape:  What's the Big Problem?

Question: Are readers aware of any documented case where a lost backup tape led to identity theft?


--Benjamin Wright

Mr. Wright, a practicing attorney, teaches the Law of Data Security and Investigations at the SANS Institute.


[Postscript: My friend Mich Kabay has been writing about customs agents inspecting laptops as their owners cross international borders. Someone asked Mich whether an enterprise has suffered a data breach requiring notice if it gives a decryption key to customs so it can inspect the contents of a laptop containing personal information. My response: Some people unwisely set a low threshold for considering data to be compromised or for requiring the delivery of a breach notice. It would be ridiculous to say that cooperation with law enforcement (i.e., duly-authorized customs officials) constitutes a data security breach!]

Update: See my analysis of a breach notification where data on stolen laptop are encrypted.

10 comments:

  1. While I'm not saying the cost was justified there is something you need to consider. While it's unlikely the actual thief would be able to use the information, he might just have the right contacts to sell it to a better equipped unlawful entity.
    While probably still in the minority, some common burglars picked up quickly on the value of personal information and it's not that uncommon for them to sell off account numbers and bank ids they jammed in their pocket while picking up the cash, electronics and other valuables in a victim's home.
    The risk is still probably low but not zero. 3 million still sounds excessive but disregarding the risk probably isn't a good idea either.

    ReplyDelete
  2. DoctorRick: I acknowledge your thoughtful comments. Over the past few years, there have been many stories of old-fashioned burglars stealing hardware (laptops, tapes, disks) that contained personally identifiable data such as social security numbers or credit card numbers. I wonder whehter there has ever been an instance where the burglar figured out that he possessed sensitive data and that he could exploit it by passing it to people talented at identity theft. I've never seen such a case (I'd be interested to learn about it if it exists). Shortcomings in data security are commonplace. If all shortcomings constitute a data "security breach", then the term "security breach" becomes meaningless.

    --Ben

    ReplyDelete
  3. I couldn't agree with you more. My first project when I started my job with IBM as Information Security Consultant was to investigate the threat posed by a very similar incident. If anyone wanted to read the tape they would have to be a sophisticated user of IT systems and have access to an IBM mainframe. This is highly unlikely, except for organized crime.

    ReplyDelete
  4. Oh, I agree that it's likely very rare and that the term "breach" is often abused. The comment was just an "aside".
    Perhaps a better approach is disclose then formulate a plan to take action if there is actual evidence it's being used in the wild.
    As for examples or "brokered" personal information, I can't cite specific cases but have read anecdotes from admittedly high-end and presumably well connected burglars later turned security professionals that they have sold stolen data. Probably even more rare, they claimed they usually knew the item being stolen was potentially a source of salable information.
    As for seeing it actually exploited. I suspect the smaller scale burglaries have such a small window where it could be exploited. The likelihood of the data trading hands to somebody that could use it before it "went stale" was low.

    ReplyDelete
  5. Oh yeah I'm bet no one has the ability to hook their computer into these newfangled tapes *heavy sarcasm*. Gimme a break...i'll bet you can buy all the equipment needed on ebay and then just sell off the information on forums and newsgroups.

    ReplyDelete
  6. Guys/Gals
    You are all missing the point.
    The fact is that the processes and procedures were NOT in place to prevent this happening. Any sensitive data should certainly be encrypted if it is transported. The checks and balances which prevents aan unencrypted tape from leaving a secure location were the failure. If $3M is what it cost, then the organisation got off lightly.
    Consider the money (and the embarrassment) more as a fine than "going down a hole". You can be sure that the systems will have been improved. Would they have done that if it cost them only $100?

    ReplyDelete
  7. The question around 'data breaches' is whether or not individuals should be allowed some degree of control over their own affairs when their information has been exploited or used for reasons other than that which was initially consented to.
    Mandatory notification of data breaches are a good way to allow individuals to mitigate their losses. However, the question then becomes: what exactly constitutes a sever enough "data breach" that customers should be notified of.

    ReplyDelete
  8. @Anonymous
    I believe most all "private" data have been and are constantly subject to compromise, many, many times over.

    If law were honest and candid, it would inform data subjects, every day, all the time: "YOUR DATA ARE AT RISK ALL THE TIME," and "you should always be on red alert for identity theft." One-off notices (like those typically expected under laws like California's Senate Bill 1386) are meaningless, and even harmful, because they give the false impression that if you did not receive a notice then somehow you have less to worry about than if you did receive the notice. –Ben

    ReplyDelete
  9. Even though I express above skepticism about one-off notices of data breaches, I am not suggesting that data holders should ignore laws that require notice. If the law says you need to give notice, then you need to give notice. --Ben

    ReplyDelete