back to article Zurich Insurance promises changes after data loss

Zurich Insurance has promised to improve its information security after losing personal financial information on 46,000 British clients through careless handling of unencrypted backup tapes. The back-up tape, which also contained personal details of 1,800 third party insurance claimants from the UK, was lost by Zurich's South …

COMMENTS

This topic is closed for new posts.
  1. The BigYin
    FAIL

    Again!

    Why do companies insist on storing personal data unencrypted? FFS.

    Fine them £1,00 per breach. That's £46,000,000. Should help the budget.

    1. The Fuzzy Wotnot
      Pint

      Like all other IT projects...

      IT techies like us say to the upper bods: "You know, this stuff should be encrypted, if it fell into the wrong hands could spell disaster!"

      Management: "Well how much will this encrypting thingy cost?"

      IT Techie: "Well it could be X thousands up front but the peace of mind of..."

      Management: "How much?! Sorry, maybe next year's budget, but with no obvious value for money, sorry but no!"

      1. Lars Silver badge
        Flame

        The first "question"

        I think would be.

        Management "You are going to let tapes fall in the wrong hands then?".

        IT Techie "No, well, of course not".

        Management "Good then, any more silly proposals?".

        Managent to Managemet "who is that guy, anyway?"

    2. Anonymous Coward
      Anonymous Coward

      I agree but...

      Big-time FAIL, I agree..but lots of IT (especially support teams) are anti-encryption (I'm in the InfoSec area and have a very hard time over this).

      Their business is getting things up and running again, and any risk of failing to restore (or delay in restoring) systems or data due to encryption and key management is a big no-no (time is money). Sad fact but unfortunately true. Funny thing is, when it's the IT team's personal data at risk then their objections go out of the window.

      It's harder than you think to convince people about secure practices, even though obvious to the likes of us.

      1. Anonymous Coward
        Thumb Down

        And why is that?

        Because manglement is on their backs for using too much time to restore service. And they can get away with it because InfoSec is not going for manglement's throat when something goes wrong. Probably because InfoSec doesn't have the clout they need to actually tear out a throat or two as and when needed. So start complaining at the CEO or board, then get back to us when they're ready to shell out for the necessary procedures.

        You get what you pay for...

  2. Chris Miller
    Boffin

    In a perfect world

    All backup tapes would be encrypted. But in the real world, it costs money and (perhaps more important) takes extra time, when many organisations struggle to fit their backup process into the time slots that are available.

    The downside of unencrypted tapes is really the bad publicity if (when) they're lost - as in this case. It's overwhelmingly more likely that it's been misfiled in transit than that it's fallen into the hands of some devilish gang of identity thieves with access to an LTO tape reader - and if it's just one tape from a series, it may well be difficult to reconstruct the data it contains in any meaningful way.

  3. John Tserkezis

    Promise to fix it?

    Promise!? Are they kidding?

    It's not going to get fixed because nothing ended up in the wrong hands.

    With no penalty, there's no incentive to fix it.

  4. Anonymous Coward
    Anonymous Coward

    Err...

    By "was lost by Zurich's South African sister company during what was described as a routine transfer to a data storage facility in South Africa " I take it they mean that their offsite vault supplier lost the tapes for them...

    Re: Tape encryption - We don't know when these tapes were written, it may have been years ago and only came to light when the tapes weren't returned to site - good, fast tape encryption has only really been available in the last five or so years. It is very expensive, it is also very complicated to implement a global key management infrastructure to handle key distribution and ageing. I would expect to see more 'we can't get your data back' stories as tape encryption becomes cheaper and more people implement without knowing exactly what they're doing.

  5. Anonymous Coward
    Grenade

    encryption

    so we're all so sure that backups should be encrypted?

  6. Anonymous Coward
    FAIL

    At least they do backups..

    Cant be a M$ run company then, they don't bother with backups.

    We use double SSL encryption which make everything automatically encrypted before any data is written to disk. If the data were after transfer to fall into the wrong hands due to an accident, we are sure the data is safe ... so long as they did not also have access to the originating server.

    And then during a backup the data is encrypted again with different keys. Its not great issue to decrypt or encrypt in real-time if its planned in from the outset. Its just another step in the whole process.

  7. Anonymous Coward
    Megaphone

    The big question

    is why UK data is being transmitted and stored outside of the UK? Why isn't the information commissioner jumping all over them for that?

  8. andy 103
    Coat

    Don't worry....

    ...this kind of thing happenZ

    I'll get my coat.

  9. Richard 12 Silver badge

    Yet another abject failure of Government

    If there is no penalty other than having to 'promise not to do it again', then no company will *ever* proactively secure anything. They'll wait until something gets lost, then promise not to do it again.

    Just like Health and Safety, *nothing will change until there are consequences for breaches*

    The only reason for the UK's currently excellent record on workplace safety is because doing nothing costs too much when there is an accident - and has the potential to be really expensive even without an accident.

    Yet not bothering with Data Protection costs nothing at all, even when massive breaches happen!

  10. James Woods

    just be like citibank

    I think losing customer data can be a good thing (if done enough).

    Citibank for instance whom I have been an account holder of most of my life has sent me several letters through the years telling me through their careless activity they lost confidential customer information to an unknown amount of clients.

    These are all snail mailed letters that can be confirmed by Citi with a phone call. They've done this enough that when you see the letter come in you know what it is.......

    But theres a light at the end of that tunnel. They always seem to have some "free" credit monitoring program open to you "for a limited amount of time" since Citi knows that identity thieves usually don't try to steal the identity of people after so much time.

    They know it better then we all do, that's why they continue to lose customer data and make money on the backend by those taking advantage of these credit monitoring programs. It's only free for a limited time then you pay and Citi gets paid.

    I say to Zurich, follow Citis lead, maybe you can get 25 billion from our government as well.

  11. John Smith 19 Gold badge
    WTF?

    Data transfer outside the EU? No fines? No mandatory encryption

    Icon says it all.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022