Missing tapes containing the financial information of more than 60 U.S. senators, reported by Bank of America Corp. over the weekend, has prompted banks across the country to reflect on their data security policies.
Bank of America said that its tapes were in transit to its backup data center when they were lost. A spokesperson for the bank declined to say how many tapes were lost, where they were lost or how the incident happened.
She did say that the data on the tapes was "structured in a highly fragmented way" and anyone trying to read it would need "complex hardware and complex software and would have to have access to the fragmentation scheme." She added that an investigation into the incident has found no evidence to suggest the tapes or their content have been accessed or misused. Bank of America confirmed that it had not encrypted the data on the missing tapes.
Tom Fleissner, SAN architect at Pacific Capital Bancorp stated that in fact it wouldn't be difficult for a knowledgeable person to get access to that data. "It was probably stored in a TAR format … All you would need to do is go to a Unix shell, pull it out and load it to a file," he said.
Pacific Capital employs off-site vaulting service provider Iron Mountain Inc., which picks up its tapes on a daily basis and transports them to an Iron Mountain vault. "It's not as good as encrypting the data on tape, but that's too expensive," Fleissner said. He looked at technology from NeoScale Systems Inc. that encrypts data on tape and recommended it to his supervisors, but they were turned off by the hefty pricing. "Everyone offers free checking today … where's the budget going to come from for this?" he said.
Steven Jones, applications support manager at Chittenden Bank in Vermont, agrees that it adds another layer of expense into the process, "but it's becoming essential." Chittenden uses a regular courier service to transport its backup tapes to the company's secondary data center, 200 miles away, but all its data is encrypted.
Enterprise Strategy Group senior analyst Jon Oltsik added that incidents like the Bank of America disaster are far more common than people realize. "Bank of America was forced to disclose the event on this occasion because of the sensitivity of the material, but companies losing tapes like this happens every week," he said.
In California at least, companies are forced to disclose to customers when there has been a breach, according to the California Security Breach Information Act. They are exempt from this if the data is encrypted. Analysts speculate that this Act may eventually become a federal law.
"Not until you are mandated does anyone do anything ahead of time," said Pacific Capital's Fleissner.
Beside NeoScale, other companies providing data encryption for storage include Decru Inc., Vormetric Inc. and Kasten Chase Applied Research Ltd.Click here for more of today's news.