Last week, I talked about the hack of Paris Hilton"s T-Mobile system and the subsequent, uh, exposure of much of her personal data on the Internet. The hack of the T-Mobile system took a bit of intelligence, some skull work, and no doubt a bit of elbow grease. You can almost respect the person or persons who committed this act, as heinous as it is.
It"s a little more difficult, then, to figure out last month"s Bank of America Inc. and ChoicePoint Inc. security shortcomings. In the Bank of America incident, one of the nation"s largest financial institutions lost a small number of computer data tapes during shipment to a backup datacenter. The missing tapes contained critical and highly secure data, including some of the U.S. federal government charge card program"s customer and account information.
In its official Homer Simpson " D"oh" statement -- I mean, crisis communications statement -- Bank of America said, "Federal law enforcement officials were immediately engaged when the tapes were discovered missing, and subsequently conducted a thorough investigation into the matter, working closely with Bank of America. The investigation to date has found no evidence to suggest the tapes or their content have been accessed or misused, and the tapes are now presumed lost."
Bank of America is continuing to monitor the accounts for any unusual activity since the incident occurred sometime late last year.
In the case of ChoicePoint, the large data warehouse vendor disclosed that its data banks had been compromised and thieves had bought the identities of people listed in ChoicePoint"s records. Again, the data loss was not due to some teenage hacking genius, but good ol" fashioned fraud.
ChoicePoint warehouses personal data, including Social Security numbers, birth certificates, death certificates, insurance reports, marriage and divorce reports, and other personal information. It has about 19 billion "public" records on file.
Jim Stickly, CTO at TraceSecurity Inc., a security products and services company, had some pretty hot opinions on the matter. He said the two incidents illustrate how identity theft has become an epidemic.
"Most Americans don"t realize how poorly their private financial information is protected. Their information is stored on computer hard disks and tapes by the numerous trustees of this data -- including banks, brokerages, insurance companies, credit card companies, mortgage companies, and credit rating agencies," Stickly explains. "Unfortunately, most of these trustees implement archaic data privacy practices that haven"t kept pace with rapid technological changes."
"For example, most corporate data is stored on hard disks or tape drives in clear plain text, unencrypted, which means that the data is easily accessed by unauthorized persons. The data is especially vulnerable to social engineering exploits, which is when a criminal gains unauthorized access to data via subterfuge, such as gaining access to a tape backup room by posing as a janitor, fire marshal, or an air conditioning technician," Stickly says.
For companies such as AmeriVault, the problems of Bank of America point to a problem in using standard tape and data backup solutions. AmeriVault provides disk-to-disk data protection and recovery services, such as online data backup, e-mail archiving, and data replication.
"Companies are very comfortable with their standard tape and data backup solutions, but they don"t often see that there can be some big issues with doing business that way," says Bud Stoddard, president and CEO of AmeriVault Corp. "Companies need to consider whether using tape media is the most appropriate way to transfer highly sensitive data. This (Bank of America) incident was widely reported, but there are plenty of other incidents that are never reported," he says.
Thankfully, that may be changing. States such as California are requiring companies to notify customers when their personal data has been compromised. Other suggestions from security analysts include using tracking devices to monitor the transportation of tapes throughout the logistics chain and considering whether encryption should be used to protect tape contents.
Here are a couple of other suggestions: For individuals, watch your own back. For corporations, consider quoting Homer Simpson when telling consumers their information has been compromised: A simple "d"oh" should be sufficient.