Bank of America has become the poster child for how not to transport data.
Over the weekend, the Charlotte, N.C.-based financial institution announced it had lost backup tapes containing the personal and financial information of 1.2 million customers. The missing tapes contained U.S. federal government charge account information -- and the personal information of federal employees and U.S. senators.
No unusual activity in the missing accounts has been observed to date, according to Bank of America. But news outlets have reported that the bank has admitted to not encrypting the tapes.
The incident has raised concerns about why this data was not encrypted, and has forced data center managers to reconsider their backup practices.
According to David Farber, a professor of computer science and public policy at Carnegie Mellon University, it is not uncommon for organizations to ship unencrypted tapes and assume they are safe.
"You would think people would learn," said Farber, an outspoken privacy advocate. "It is such an easy thing to encrypt them. Before you write the tape, you encrypt the data. When you get to the other end, you unscramble it. Many of the things you archive, you don't care about. But when it comes to personal information, encryption is important. Tapes could be lost, misrouted, stolen -- anything."
Companies that operate this way are extremely vulnerable, according to Farber.
"Seems to me, any company that ships sensitive data without encryption should be hung out to dry," he said. "Bank of America has been shipping tapes like this for a long time, and they've probably never reported much loss. If it hadn't been for the recent T-Mobile and ChoicePoint stories recently, I doubt anyone would have reported on it.
"With a big data center network like Bank of America's, the data center manager should have been able to encrypt the data on his own," Farber said. "In fact, the program they used to make the tapes probably could have encrypted the data."
Peter G. Neumann, principal scientist at SRI International in Menlo Park, Calif., agrees. Encryption should be the first line of defense. According to Neumann, the precaution probably never seemed important to bank officials.
"People tend to never do anything until they're burned," Neumann said. "We haven't had a true disaster, an IT tsunami, so no one thinks it is worth spending the money to protect themselves."
Neumann also questioned the bank's methodology.
"Why ship a couple of tapes on an airplane? In this day and age you should be able to send them over the Internet if you're careful, or high-speed phone lines and satellite communications," Neumann said.
While privacy is a huge problem and encryption should be mandatory for personal information, technology was only half of the problem. How were the tapes lost? And who is responsible?
According to Austin Hill, president of Montreal-based Synomos, data center managers need to mitigate their risk in people as well.
"You need to have governance in place, checks and balances to manage vendors, partners, storage providers and shipping companies," Hill said. "If you're using a third-party data storage company, do you have a system in place to let people know that your data security standards have changed?
"Lawyers shipping memos to IT people is not an example of good governance. There is a real organizational process that needs to take hold," Hill said.
Even when your encryption is in place and your line of communications is operational, that may not be enough.
"The next level is to audit your encryption," Hill said.
According to Bank of America spokeswoman Alexandra Trower, the bank is not providing details of how it plans to secure customer data in the future because of security concerns.
Let us know what you think about the story; e-mail: Matt Stansberry, News Editor