Jan 18 2008

Iron Mountain lost tape containing 650,000 records

Published by at 10:06 am under PCI

I’d say this looks like another case of a box falling of the back of a truck somewhere:  Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers.  There’s the usual patter about requiring specialized equipment to read the tape, but I’d feel more secure if they said it was encrypted.  We all know that a tape backup drive isn’t that hard to get, especially if you’re targeting a specific merchant and have any sort of intelligence on them.  We’re being told the number of JC Penney records that have been lost and that as many as 100 merchants could have been affected, so what is the total number of records on the tape?  It could add up to be quite a number when all is said and done.

A representative from JC Penney was interviewed for the Fortify documentary last night, and this is one of the dangers of the information age he didn’t bring up.  Not only do you have to worry about all of the bad guys attacking you directly, you have to worry about your partners, how they’re protecting your data and how their partners are protecting your data.  I’m willing to think this is simply a case of human error and the tape in question fell under a floor panel or something, but it isn’t far outside the realm of possibility that someone took the tape purposefuly.  In a lot of companies, it’d only take a conspiracy of two or three to get the tape, a drive for it and the encryption keys to unlock everything. 

I agree that JC Penney isn’t responsible for the incident, but I get tired of reading the “We have no reason to believe …” statement.  They also have no reason to believe it isn’t being used; there’s no reliable way to correlate a data breach of this sort and the repercussions.  Even most of the people that have been caught in the TJ Maxx case have been the flunkies who were doing the in-person fraud using compromised data.  If someone knows of a statistically significant way the credit card companies can track the affects of this breach, I’d like to hear about it.

We’d never have heard about this before California’s SB1386 and the other state laws that have followed.  And in all likelihood, this probably is just a case of a lost tape, with no nefarious intent involved.  We’re at a stage of the game where I’d rather hear about a couple of false alarms than miss one real event.

Technorati Tags: , , , ,

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

11 responses so far

11 Responses to “Iron Mountain lost tape containing 650,000 records”

  1. Augustoon 18 Jan 2008 at 10:49 am


    And these offsite storage companies still don’t offer insurance options for that kind of incident. Iron Mountain usually pays only the cost of the tape when it is lost.

    Wouldn’t it (insurance) be a business diferential good enough to make companies change their offsite storage providers?



  2. NotEnoughon 18 Jan 2008 at 12:17 pm

    “If someone knows of a statistically significant way the credit card companies can track the affects this breach, I’d like to hear about it.”

    Me too. Companies have traditionally offered something like 1 year of credit monitoring service. I don’ t think that is nearly long enough. The monitoring needs to be for the lifetime of the stolen data. For example, if a SSN is stolen, then the monitoring needs to be for the lifetime of the SSN (could be a long time if a SSN can’t be expired). If it is personal data (i.e. mother’s maiden name, etc.) it would have to be for the remaining lifetime of the person.

    Companies have taken custody of this personal data. As such, they need to be held responsible for it. They need to guarantee its safety over its lifetime or they shouldn’t have it.

    What happens when the bad guys sit on the data for a year or two, and then act on it? This is especially troublesome for stolen SSN. CC#s expire and can be changed in the face of a known compromise. However, I expect I will have my same SSN (and most other personally identifying data that might have been stolen along with the SSN) for many years to come.

    The real problems will arise when this warehoused stolen data is acted on after an extended period of time (i.e. 2-3+ years) after a breach like this. At that time, I expect it will be extremely difficult to correlate that compromise to today’s breach event to find the responsible party.

  3. […] Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data.  And more importantly, he actually knows […]

  4. S.B. Davison 19 Jan 2008 at 8:55 am

    I posted the following a couple days ago on another blog and opted to not bother editing it: To me, the only newsworthy aspect of this story is the magnitude of the heist. I’m also surprised to not see similar headlines daily. Here’s why. I install pallet rack systems in these record management establishments and have been doing so for the past 14 years. I’ve installed at Bradford Systems, Chicago Records Management (CRM), and Iron Mountain (formally Pickfords), to name a few. Security in verturally nonexistant except for a few cameras. But cameras or personal are not located in the miles of aisles between 30-50 foot tall racking systems. I, or anyone else, can easily reach into any book and pull out whatever is desired. Paper or a small disc fits rather nicely in a pocket. But I’m not the threat. Nor any other vendors. No! It’s the employees of these establishments, in my opinion. You better be setting down for this next piece of information. The makeup of the employees at all the Record Management places that I have (and currently still do) installed pallet rack systems, employ–here it comes–90% Nigerians, 5% Hispanics, and the other 5% is made up of various other nationalities. Therein lies the rub (again, in my opinion). This does include the lower management in these massive warehouses. Now the percentages that I just gave, of course, are only estimates, but rest assure that they are pretty close. The reason being is cost. A majority do not speak english. You may ask how are they able to perform their jobs. Easy. The number system (the universal language)–coupled with a hand-held computing devise. Please do not take my word on any of these truisms. Do a little homework yourself or simply come back to this post and see what others may contribute in this comment section. I believe there will be some concurrence. I also believe that this is only the tip of the iceberg. One more thing. This is the very first time that I have ever made a comment in this type of forum. I hope I did it correctly. It’s just that I happen to be in a position to pass valuable information since I work in this field. Thank you.

  5. Martinon 19 Jan 2008 at 9:11 am


    I’m in no position to confirm or dispute your percentages, but my own experience in the SF Bay Area don’t back up yours. I haven’t been in an Iron Mountain facility, but the people who’ve dropped off and picked up my tapes through the years have been of just about every ethnicity. They’ve all spoken English at least as well as most of my coworkers. And I seriously doubt it had any impact on their trustworthiness as employees. You’ve already stated it had no affect on their ability to do the work.

    I worry every bit as much about the administrator at the corporate level making an extra tape and taking it home as I do about someone at the offsite storage company stealing a tape. Either one’s possible, and the risk of either happening is probably more dependent on the person’s credit rating than their racial background.

    Any data backing up your assertions will be appreciated.


  6. Benjamin Wrighton 21 Jan 2008 at 1:32 pm


    It is often irrational to treat the mere loss of a tape as a legally-meaninful breach of security. –Ben

  7. Martinon 22 Jan 2008 at 2:04 pm


    I’d argue that it’s always rational to treat a lost tape as if it were a meaningful breach of security. It only appears irrational when viewed in hindsight, when you know the real status of the tape the whole time.


  8. […] we talk about credit protection and the companies offering it.  Thanks to reader Ed, who gave us more information on the companies in the […]

  9. srcasmon 31 Jan 2008 at 6:35 am

    One thing to keep in mind in all of this is why companies are not encrypting their data as it goes off site. I mean, I know it’s an extra step along the way but it help to ensure the privacy of the data stays private. Encryption technology can be time consuming and expensive but if we focus our efforts on finding better and more efficient ways of protecting the data that leaves our hands, we’d all have a much easier time sleeping at night.

  10. Davidon 17 Dec 2008 at 2:19 pm

    But isn’t this just the beginning?
    Here we are in a digital age and they still do Software Escrow / Source Code / IP Escrow the old fashion way, SLOW and EXPENSIVE! Not only does this show extreme exposure, but their services ARE targeted to large companies — a loss like this becomes TREMENDOUS, and since we do business with these large companies — WE ALL BECOME VULNERABLE!
    And think about this – take the SMB market as a whole – where a lot of economists say is the New Hope for moving the economy out of its doldrums – and look at SMB ISVs who produce exponentially more lines of code than the large developers combined. How does a company like IM scale to support them TODAY?!
    And as my esteemed colleague points out, WHERE’S THE ENCRYPTION?! Let’s face it, in a more digital world, with more critical digital assets, IM should be looking at a company like iForem who not only provides online escrow services for companies as large as say Cisco, but is priced for the SMB ISVs – the new Ghostbusters, the fast on their feet ‘who you gonna call?’ folks that large ISVs use when the “need it yesterday” projects pop up! And since the large ISVs can be protected themselves through iForem’s service (which takes only 30 minutes not days or weeks like IM) how can IM continue to compete?

  11. […] we leave aside the number of backup tapes that have gone missing from financial institutions and/or Iron Mountain, there’s the recent Carbonite fiasco. Plus, with everyone and his brother trying to break into […]

%d bloggers like this: