Lord of the Rings: The Return of the Snafu
Gandalf: (laughs) Oh, of course. "Speak, friend, and enter."
(Stands up and holds up staff)
Gandalf: MELLON!
(Security doors open wide...)
Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut. The Bank of New York Mellon offered people whose details …
I'm probably going over old ground here (various British cock-ups) - but why, when you're moving such sensitive data, isn't it held in the safekeeping of the same human being(s) from the beginning of its journey to the end of it? No sorting offices, no handovers: the courier takes it from the sending office to the receiving office, and does not allow himself to be distracted from that task.
OK, maybe in USA these can be quite long journeys. Even so, I would still give it to one trusted guy (or pair of guys) to take from A to B, with strict instructions about never letting it out of their sights.
Is it REALLY going to take a law backed by punitive damages to make these buggers start using a bit of common before burning tapes/CDs/whatever and carrying them offsite? My details were on a tape lost by a bank about 18 months ago.
The IT department responsible for this disgraceful cock-up issued a statement that it was "about to" implement encryption at the time (so any future IDs I might adopt and give to the bank were presumably safe), and they assured me that it was unlikely that anyone would have the equipment to read the tape anyway so I shouldn't worry my little head about it.
Oh yeah? Is it *that* unlikely that a tape containing a DIY kit for forging the ID of a couple of million customers would be stolen by someone who *hadn't* taken the preliminary step of obtaining a couple of easy-to-get surplus-these-days tape units BEFORE concocting the elaborate "steal tape from courier" plan?
Hay-Zeus on a Bike! You'd think that at least ONE of these buggers would get the message. Perhaps only when Glorious Leader Bush or Beloved Co-Leader Cheney have had their Name, SSN, Address and Deposit Account numbers stolen will Something Be Done.
Bah.
Anyone in any organization that handles data pertaining to clients or customers, especially financial and medical establishments, who transfers unencrypted data is an ignoramus or a fool. And that goes as well for at least one level up in chain of command.
Oh, yes, regarding "...bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media..." can you say "Hannaford" boys and girls?
Skull and crossed bones because Pirates is Everywharrrrr. Arrrr.
"After all, who's going to have mag tape equipment anyway. Only stodgy old banks and telcos."
-Holds up hand- The last refurbished computer I bought had a mag tape bay in it! (Pulled it out, it's probably still in my closet)
Hmm, maybe I should put it on E-bay? It looks like it might be worth serious cash to someone, eh?
It comes down to cost. Most of the UK and US banks in the UK (including NYM) use Bike couriers as we are secure and hard to rob but we're not cheap. The US doesn't have many Bike couriers and they are VERY expensive so uses overnight services which cost little.
Overnight courier is very insecure but when nothing goes wrong it looks cheap. I guess its a perception thing.
Ex Securicor Pony Express rider who used to carry everything from cash to penny under a Billion bearer bonds to your banks clearing to bullion from cash centres all on Motorbikes. Ex company manager with a few banks as clients.
Anon as I signed confidentiality agreements (seriously)
Knowing these tards, they probably are still using 7 track round reel . No excuse is good enough for this type of stupidity. Loonies in Ohio were having interns take computer files home with them as an off-premises storage backup....ha.ha.ha.ha.ha
computer tards.... where do they get them?
Because all of the practical encryption options for backup media are *expensive*.
There's:
+ licensing
ie Encryption option for NetBackup isn't cheap
+ implementation
new tape drives [for hw encryption rather than sw encryption]
key management software plus associated new processes/procedures
impact on restoration/recovery times of encrypted data vs unencrypted
+ legal compliance
+ data expiration considerations
+ and DR can become further complicated
Most places seem to get their backup and recovery strategy "working ok", without then going and getting the next step of securing it properly.
Personally, I'd feel a bit safer if the encryption of *sensitive* data on backup media was legally mandatory AND part of the auditing that's done of financial institutions (i.e. by APRA here in Australia)
I'm loving some of the comments you guys are making. Agreeing with most i.e end to end delivery by responsible individuals and encryption where possible. But it seems a lot of you guys are really out of touch practical and economic reality.
Large organisations simply cannot encypt all tape data due to the size and amounts of data we are talking about, as well as the recovery procedures and timescales that would be required to get the details back from the disk, it may be ok if you are handling a few megs of tape data but when you are dealing with hundreds of Gigs it is a different story.
And don't even get me started on risk calculations. Those of you who have never worked on a large scale IT projects would be well served to get out there and get some experience of systems that make ACME Pot Rivet ltd. Company to shame before chucking in there two penith.
@Justin Clift:
How expensive do you actually think that encryption measures are, compared to the cost and hassle of losing unencrypted data? And we're talking about banks here, not exactly the poorest institutions around.
I'd imagine that most tape drives (libraries, more likely) that banks use are already advanced enough to include hw encryption and compression, I don't think key management is that much of an issue, and I don't see how DR would be significantly impacted either. Overall, definitely a small sacrifice compared to the potential benefits it brings.
@AC about car vs bike:
Motorcycles (or even bikes) are probably a lot more agile, so unless you have some real pros trying to steal the data, you're probably more likely to get away on one of those rather than a car.
But seriously, unencrypted tapes, in 2008? FAIL++ :[
From your bank !!!!!!!!!
They are all at it in UK at any rate, pay £x per month and we'll provide legal assistance while you sort out your shit in the (increassed likelyhood) eventuality that your ID gets stolen (after we lost your fucking data HA! HA! HA! - give us more of your money - idiot !)
This is how they are going to stabalise the world currency deficit caused by their bad capital investments and their incredibly weak security policies - not to mention the rather excessive fat cat payouts and executive jollies they've had recently)
I read somewhere that you are safer from ID theft if you only have debts.
Wicked ...................
ALF
There's something like 5000 couriers on bikes within Central London, how do you tell which one has the important package? Not even the customer knows which rider has the package or what route they will take.
I suppose you could wait around outside a bank on Canary wharf but then how do you know what rider is carrying important data and which dross?
In the two years I worked for Securicor only one bike was robbed and that was because he forgot to lock his top box. In the several years I ran a company not one rider was robbed although the bank was.
The system of obscurity and speed works in this instance. If it didn't it wouldn't have been used for so long.
People have been shipping backups around ever since we've had backups. I realise that the reporting of these incidents in recent times is highlighting the problem, but imagine how much information has been lost over the last few decades. It's not like courier services have suddenly become incompetent overnight.
This takes the pee pee yet again. How many times does this need to happen before banks will wake up and smell the proverbial coffee (Or in the banks case when will they smell the shit hitting the fan??).
Those affected need to hit them in the only place that hurts for large American Corporations, the bottom line. Hit their profit margin very hard and they'll soon sit up and take notice. A class action lawsuit from 4.5 million people should do the trick.
When will the US administration stop spying on it's own populace and bring in some laws to protect them instead?
Flames; 'Cos whoever at the bank took the decision to send the unencrypted details of 4.5 million people, via a third oarty courier, should be burned at the stake in Times Square. I'll bring the petrol...