Comments on: Iron Mountain lost tape containing 650,000 records

By: srcasm

srcasm — Thu, 31 Jan 2008 14:35:08 +0000

One thing to keep in mind in all of this is why companies are not encrypting their data as it goes off site. I mean, I know it’s an extra step along the way but it help to ensure the privacy of the data stays private. Encryption technology can be time consuming and expensive but if we focus our efforts on finding better and more efficient ways of protecting the data that leaves our hands, we’d all have a much easier time sleeping at night.

By: netsecpodcast.com » Blog Archive » Network Security Podcast, Episode 91

Wed, 23 Jan 2008 04:26:02 +0000

[...] we talk about credit protection and the companies offering it. Thanks to reader Ed, who gave us more information on the companies in the [...]

By: Martin

Martin — Tue, 22 Jan 2008 22:04:58 +0000

Ben,

I’d argue that it’s always rational to treat a lost tape as if it were a meaningful breach of security. It only appears irrational when viewed in hindsight, when you know the real status of the tape the whole time.

Martin

By: Benjamin Wright

Benjamin Wright — Mon, 21 Jan 2008 21:32:51 +0000

Martin:

It is often irrational to treat the mere loss of a tape as a legally-meaninful breach of security. –Ben

By: Martin

Martin — Sat, 19 Jan 2008 17:11:54 +0000

S.B.,

I’m in no position to confirm or dispute your percentages, but my own experience in the SF Bay Area don’t back up yours. I haven’t been in an Iron Mountain facility, but the people who’ve dropped off and picked up my tapes through the years have been of just about every ethnicity. They’ve all spoken English at least as well as most of my coworkers. And I seriously doubt it had any impact on their trustworthiness as employees. You’ve already stated it had no affect on their ability to do the work.

I worry every bit as much about the administrator at the corporate level making an extra tape and taking it home as I do about someone at the offsite storage company stealing a tape. Either one’s possible, and the risk of either happening is probably more dependent on the person’s credit rating than their racial background.

Any data backing up your assertions will be appreciated.

Martin

By: S.B. Davis

S.B. Davis — Sat, 19 Jan 2008 16:55:47 +0000

I posted the following a couple days ago on another blog and opted to not bother editing it: To me, the only newsworthy aspect of this story is the magnitude of the heist. I’m also surprised to not see similar headlines daily. Here’s why. I install pallet rack systems in these record management establishments and have been doing so for the past 14 years. I’ve installed at Bradford Systems, Chicago Records Management (CRM), and Iron Mountain (formally Pickfords), to name a few. Security in verturally nonexistant except for a few cameras. But cameras or personal are not located in the miles of aisles between 30-50 foot tall racking systems. I, or anyone else, can easily reach into any book and pull out whatever is desired. Paper or a small disc fits rather nicely in a pocket. But I’m not the threat. Nor any other vendors. No! It’s the employees of these establishments, in my opinion. You better be setting down for this next piece of information. The makeup of the employees at all the Record Management places that I have (and currently still do) installed pallet rack systems, employ–here it comes–90% Nigerians, 5% Hispanics, and the other 5% is made up of various other nationalities. Therein lies the rub (again, in my opinion). This does include the lower management in these massive warehouses. Now the percentages that I just gave, of course, are only estimates, but rest assure that they are pretty close. The reason being is cost. A majority do not speak english. You may ask how are they able to perform their jobs. Easy. The number system (the universal language)–coupled with a hand-held computing devise. Please do not take my word on any of these truisms. Do a little homework yourself or simply come back to this post and see what others may contribute in this comment section. I believe there will be some concurrence. I also believe that this is only the tip of the iceberg. One more thing. This is the very first time that I have ever made a comment in this type of forum. I hope I did it correctly. It’s just that I happen to be in a position to pass valuable information since I work in this field. Thank you.

By: Network Security Blog » I’m not the only one who sees the irony

Network Security Blog » I’m not the only one who sees the irony — Sat, 19 Jan 2008 16:18:14 +0000

[...] Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data. And more importantly, he actually knows [...]

By: NotEnough

NotEnough — Fri, 18 Jan 2008 20:17:04 +0000

“If someone knows of a statistically significant way the credit card companies can track the affects this breach, I’d like to hear about it.”

Me too. Companies have traditionally offered something like 1 year of credit monitoring service. I don’ t think that is nearly long enough. The monitoring needs to be for the lifetime of the stolen data. For example, if a SSN is stolen, then the monitoring needs to be for the lifetime of the SSN (could be a long time if a SSN can’t be expired). If it is personal data (i.e. mother’s maiden name, etc.) it would have to be for the remaining lifetime of the person.

Companies have taken custody of this personal data. As such, they need to be held responsible for it. They need to guarantee its safety over its lifetime or they shouldn’t have it.

What happens when the bad guys sit on the data for a year or two, and then act on it? This is especially troublesome for stolen SSN. CC#s expire and can be changed in the face of a known compromise. However, I expect I will have my same SSN (and most other personally identifying data that might have been stolen along with the SSN) for many years to come.

The real problems will arise when this warehoused stolen data is acted on after an extended period of time (i.e. 2-3+ years) after a breach like this. At that time, I expect it will be extremely difficult to correlate that compromise to today’s breach event to find the responsible party.

By: Augusto

Augusto — Fri, 18 Jan 2008 18:49:50 +0000

Martin,

And these offsite storage companies still don’t offer insurance options for that kind of incident. Iron Mountain usually pays only the cost of the tape when it is lost.

Wouldn’t it (insurance) be a business diferential good enough to make companies change their offsite storage providers?

Regards,

Augusto