Updated: Lost Tape Not Necessarily a Data Leak
GE Money, which manages store credit cards, was told by Iron Mountain that a backup tape had gone missing. The problem is that tape is unencrypted and it contains personal financial information as well as Social Security Numbers. From PC World:
Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. "Clearly that number includes many of the national retail organizations," he [spokesman for Iron Mountain] said.The tape also contained Social Security numbers of 150,000 customers. When matched with name and address information, Social Security numbers can be used to set up fraudulent credit-card accounts, a common form of identity theft.
An investigation did not show any signs of theft and according to Reuters:
"We believe this is an unfortunate case of a misplaced tape," Iron Mountain's statement said. "We also understand the tape was created in such a manner to make unauthorized access extremely unlikely and difficult, even for experts with specialized knowledge and technology."
The point is that sometimes a lost tape is just a lost tape. There is no indication this is a TJX-style breach. How far do companies have to go in a case such as this? It would have been better had the tape been encrypted but it wasn't. Should we assume a worst case scenario or a most likely case scenario? In the latter, we'd monitor accounts and watch for fraud. Time and efforts are probably better spent improving tracking and other security measures than assuming all of these accounts are compromised.
McAfee, sponsor of this site, has just announced a data loss protection suite which includes encryption. That is the kind of tool that can take some of the sting out of lost tapes and other media.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
