Lost data all over the news in 2005

I’ve just finished teaching another workshop in my longstanding INFOSEC Year in Review series and will be writing about some of the topics that struck participants and me as particularly interesting or significant in the year 2005. The updated IYIR database will be available on my Web site soon and I’ll let readers know when it is posted.

The first item that caught my eye in reviewing 2005 was the number of cases of lost computers, hard drives and back-up tapes that cropped up in the news. There were also unwiped computers and disks sold on the open market. Here are some examples that would alarm any information security officer, data center manager or CIO.

Lost or stolen computers

Last January, a survey queried 1,000 taxi drivers around the world and asked them about forgotten electronic gear they had found. Extrapolating from the answers using the numbers of taxis in the areas where the losses were reported, one can guess that about 22,000 laptop computers, 62,000 palmtop computers and 400,000 mobile phones are left behind in a year. The data also suggested that about 80% of the cell phones and 95% of the computers were eventually returned to their owners.

In February, a Delaware blood bank had sensitive donor data on disk on a laptop that fell off a truck. Officials noted that they would henceforth use disk encryption.

In March, University California at Berkeley had a laptop computer stolen from the graduate division office; it contained the names, Social Security numbers and birthdates for 98,369 alumni, grad students and applicants.

Also in March, two computers were stolen from the San Jose Medical Group; they contained financial and medical data about 185,000 people. Some of the data were encrypted.

In May, the U.S. Idaho National Laboratory was unable to account for more than 200 missing computers and disk drives, some of which may have contained sensitive (but non-classified) information.

A July report from the U.K. revealed that at least 150 computers had been stolen from central government departments in the first six months of 2005.

Disk drives and computers sold with sensitive data

In April, police in the German city of Brandenburg got rid of a 20 GB hard drive with strategically important data about investigations; they sold it on eBay for $25. Luckily, the student who bought it immediately returned it to the police when he realized the sensitivity of the data.

In July, the State Transit Authority of New South Wales in Australia sold 18 servers containing not only proprietary software but also employee data.

Backups

In February, Bank of America lost unencrypted backup tapes being shipped on a commercial airplane; data included details for more than a million customers.

In April, Iron Mountain lost its fourth shipment of backup tapes in 2005 – this time containing data about 600,000 current and former employees of Time Warner.

In June, Citigroup announced that back-up tapes being sent via UPS were lost in transit; data including Social Security numbers on 3.9 million consumer lending customers were lost.

In November, Marriott International realized that some back-up tapes for its Vacation Club were missing; at the end of the year, it announced that the lost or stolen tapes contained credit-card and Social Security number data on 206,000 clients and also on some employees.

Concluding remarks

There was a time when encryption was so CPU-intensive that it was not practical for large data volumes of data. Relatively slow disk I/O was another potential bottleneck. However, with today’s fast processors and the prevalence of high-speed write-behind buffered disk drives, there is no practical impediment to encrypting data for most applications and for streaming backups.

Quite aside from the issue of how to dispose of magnetic and optical media, you should evaluate the costs and practicality of encrypting data (or at least, sensitive data) on disks and on backup tapes. However, when you do so, remember to include plans for key escrow and key revocation. For example, be sure that you have decryption keys in escrow for all employee computers that use hard-disk encryption. If you change the encryption key for backups, you have to either keep the keys for the older encrypted backups or decrypt them and re-encrypt them with the new key.