Thats ok because they use self encrypting drives right? So a person with the drive cant use the data on it correct?
SSD missing from SAP datacenter turns up on eBay, sparking security investigation
An SSD disk missing from an SAP datacenter in Walldorf has turned up on eBay, leading to a security investigation by the German software vendor. According to sources close to the incident, four SSD disks went missing from SAP's Walldorf datacenters in Baden-Württemberg, southwest Germany, in November last year. One of the …
COMMENTS
-
-
Wednesday 21st June 2023 12:57 GMT Lee D
Quite.
I'm intrigued how they were able to identify the drives as belonging to SAP otherwise... they must have been unencrypted or else they'd just look like a bunch of random data at best, or not even let you see the drive at all (if you have ATA-level encryption on).
I suppose in theory they could have connected them to a system and supplied SAP drive encryption credentials and then seen data that nobody without those credentials could have, but it doesn't sound that way. It sounds like plain-text to me.
-
Wednesday 21st June 2023 13:24 GMT Anonymous Coward
"I'm intrigued how they were able to identify the drives as belonging to SAP otherwise... they must have been unencrypted or else they'd just look like a bunch of random data at best, or not even let you see the drive at all (if you have ATA-level encryption on)."
Hard to know exactly.
I'm assuming these were Enterprise high-capacity SSDs (so not the "common") made by a vendor that SAP used. It is possible the particular model/models of SSD were only sold to a limited number of enterprise customers and so them being sold on eBay would point to only a small number of enterprise orgs they could have come from.
Many enterprise/cloud providers shred HDDs/SSDs on-site when they come to the end of their operational life and so any such "unusual" models of drive would be unlikely to be resold anywhere.
Also OPAL drive encryption has in the past been broken/bypassed by security researchers, usually not due to flaws in OPAL in general but rather due to vendor implemention-specific flaws.
It is possible that the drives were not encrypted at all (on the assumption that they would be securely wiped when finished with and shredded if end-of-life).
-
-
Wednesday 21st June 2023 21:24 GMT Anonymous Coward
Not all SEDs provide on access encryption
Some provide transparent "clear" access but internally encrypt storage with a stored key. The idea being that you can decommission the drive by telling it to delete the key, which then eliminates the sticky problem of getting a modern SSD to actually "Delete" or "overwrite" all of the data stored on it. Of course if the controller board craps out you may not be able to decommission it successfully, and if someone forgets to decom it anyone who plugs it in can access it.
Or you suck up owning your own key management and go OTT. Just don't lock yourself out, as nobody will be able to help you.
-
Thursday 22nd June 2023 15:27 GMT Marty McFly
Seems like a paradox to me.
We have accurate & reliable inventory controls. That allows us to identify these eBay drives as stolen.
Therefore our inventory controls are not accurate & reliable.
Therefore we cannot trust our inventory control data.
Therefore we cannot definitively conclude the drives were stolen.
-
-
-
Thursday 22nd June 2023 03:56 GMT Yet Another Anonymous coward
>I'm intrigued how they were able to identify the drives as belonging to SAP
The top level folder contained "SAP secret business stuff.pptx", "Copy of - SAP secret business stuff.pptx" "Copy of - SAP secret business stuff - final.pptx" "Copy of - SAP secret business stuff - final copy .pptx" "Copy of - SAP secret business stuff - final, - review.pptx" Copy of - SAP secret business stuff - final - review - please use this one.pptx" and "SAP secret business stuff - Print me.pptx"
-
-
-
Wednesday 21st June 2023 12:10 GMT Doctor Syntax
"a SAP spokesperson said the disks contained no personally identifiable information"
Given that the drive bought on eBay contained data on 100 SAP employees either SAP employees don't count as persons or the spokesperson is pushing things even further than the standard script for this situation.
-
Wednesday 21st June 2023 13:07 GMT Anonymous Coward
"no personally identifiable information (PII)"
Wondering whether this is a literal quote from the SAP spokesperson (unlikely as it was not inside quotation marks) or written by TheReg's Lindsay.
As the SSDs were stolen in Germany (i.e. EU) then what matters is whether they contained any "Personal Data" which is what EU Data Protection Law (GDPR) is about. PII tends to be a USA term which has a narrower definition than "Personal Data" and is not relevant in the EU.
I'd expect Lindsay to know the difference between Personal Data and PII...
-
Wednesday 21st June 2023 20:54 GMT rcxb
Wondering whether this is a literal quote
The article isn't that hard to comprehend. That line was obviously a summary of the EXACT QUOTE WHICH IMMEDIATELY FOLLOWED IT... in quotation marks... followed by "they said"...
PII tends to be a USA term which has a narrower definition than "Personal Data" and is not relevant in the EU.
And yet that is the term the SAP rep used:
"we can confirm we currently have no evidence suggesting that confidential customer data or PII has been taken from the company"
-
Wednesday 21st June 2023 20:47 GMT rcxb
Except that's not *quite* what they said...
"we currently have no evidence suggesting that confidential customer data or PII has been taken from the company via these disks or otherwise"
This may well fall into the burying ones head in the sand category, or the proper business accountability rule: "Just stick your finger in your ear and go ting-a-ling-a-loo."
-
-
-
Wednesday 21st June 2023 12:44 GMT Ball boy
'SAP takes data security very seriously'
When we get caught, we take it seriously. Normally, we just assume everything is tickey-boo. Very relaxed about our data warehouse and its appalling physical security until it was discovered to be a weak point. Now it looks like we have a PR disaster on our hands so we need to show that we really do care, honest.
There, FIFY.
-
Wednesday 21st June 2023 13:15 GMT WolfFan
Where I work
Is a lot smaller than SAP, but apparently we are far more secure.
1. All servers, NASes, etc., are inside locked racks. Yes, the racks aren’t anything special, and the locks are pretty flimsy, but it would be obvious if someone liberated a drive.
2. All racks are in locked rooms, using card and touchpad access. And with security cameras inside the rooms and outside, pointing at the doors. Only authorized people are allowed inside. And the cameras would spot some taking a drive.
3. Entrance, and exit, to the building are via security doors in a mantrap system, with lots of cameras.
4. The sysadmins would probably notice missing drives, not least when reviewing the backup logs.
5. The Morgue where we play with dead equipment is right next to the server rooms. And is locked and the door has security cameras.
6. Anyone who pulls any equipment from the server rooms has to sign for it. And sign it back in when done. We definitely do not allow drives to leave the building. Unless they are headed to Iron Mountain for storage or destruction.
7. As getting into the Morgue or the server rooms requires the key card, which is your ID card, you can't even access anything without it being clear whodunit.
8. Backup tapes are stored in fire-resistant cabinets in the Morgue until the guys from Iron Mountain show up to take them to secure storage. The cabinets are, of course, locked. (Yes, we still use tape. It works.)
There is no reason for a drive to be anywhere except the Morgue or a server room, or in transit between them. (Except for brand new drives arriving from outside, of course.) Any drive going out of service is reformatted seven times, if it still works, and destroyed by physically drilling holes through it. Really good recovery people might get some data from the drive, but it won't be easy. Destroyed drives are sent to Iron Mountain and run through their shredder. Now not even a really good recovery service is going to find much.
So how, exactly, did a major corporation manage to let drives get out into the wild, and not once but multiple times?
-
Wednesday 21st June 2023 14:33 GMT John Robson
Re: Where I work
"2. All racks are in locked rooms, using card and touchpad access. And with security cameras inside the rooms and outside, pointing at the doors. Only authorized people are allowed inside. And the cameras would spot some taking a drive."
Really? If the cameras are pointing at the doors then presumably I can remove a drive from a server and have it in a pocket as I leave.
Now it should still be possible to say "this was when the drive disappeared, and there were only three people who accessed the room then", but drives are no longer large enough to need any skill to hide them.
-
Wednesday 21st June 2023 15:51 GMT The Oncoming Scorn
Re: Where I work - Cistern Failure
Research Machines assembly plant had a flooded male lavatory, the cause was a jammed open valve.
One of the contractors had signed out a replacement HDD (Still in its shrink wrapped factory bag), then gone to the lavatory & hidden it in the cistern for later retrieval at the shift end but jammed the valve open.
He was traced from serial number on the HDD, the timestamp of signing for it & the security footage from that point & then going for his data dump.
-
-
-
Wednesday 21st June 2023 15:09 GMT Mike 137
Don't be a sap
"SAP takes data security very seriously..."
So seriously that folks can leave a secure area with kit unchallenged. This reminds me of the famous wikileaks incident where the perp transported secrets out of a SIPRNET environment on writable CDs that he pretended were pop music he'd brought in to play on his phones. The investigation found that the stringent SIPRNET security protocols were not applied to guys they knew: "Personal use was common, widespread and casually accepted – “Defense (Coombs): How was it enforced? Lim: No. You trusted people”
-
Wednesday 21st June 2023 15:53 GMT Richard 31
I used to know a guy that would run a scam thusly:
1) pop out a drive on a raid array
2) reseat it
3) wait for the compaq (yes this was ages ago) engineer to turn up, replace the drive and leave the old one in the rack because of the disk retention policy.
4) swipe the 'faulty' drive
No idea if they got flogged on fleabay though
-
-
Wednesday 21st June 2023 17:14 GMT John Geek
yeah, thats the fun with traditional raid mirroring, you can't tell which instance is the 'good' one. another reason I'm a big fan of ZFS, every block on every device has a timestamp and checksum. conventional RAID assumes disks have only two states, working perfectly, or not working at all, they don't allow for anything in between.
-
-
-
-
Wednesday 21st June 2023 21:29 GMT OhForF'
A majority of servers probably do not use an OS compatible with BitLocker.
While solutions to encrypt data at rest will be available it is very optimistic to assume that all major corporations use that - just look through recent articles on el Reg and you'll find examples where they struggle when they have to restore data from backups.
With good phyiscal security in the server rooms and data that is not very sensitive it might even be a good decision not to encrypt the disks removing an extra complication layer for backups (and saving you some cpu cycles for a software solution or saving some money if using hardware based encryption).
-