Sunday, January 20, 2008

Do secure storage/destruction facilities really protect information from theft?

Information by it's very nature is hard to inventory. Let's face it, it isn't cash or precious gems and it can be copied in a LOT of different ways.

This fact also gives the entity losing it a lot of deniability. Most of the time, it's impossible to be 100 percent sure what happened to any information discovered missing.

Could a tape gone missing at a secure storage facility owned by Iron Mountain containing 650,000 customer files reveal that these facilities provide us with a false sense of security?

Robert McMillian at Computer World is reporting the latest information on this story:

A backup tape containing credit-card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud.

GE Money, which manages in-store credit-card programs for the majority of U.S. retailers, first realized that the tape was missing from an Iron Mountain secure storage facility in October, said Richard Jones, a company spokesman. "We were informed that one of the tapes could not be located. But at the same time there was no record of it ever having been checked out," he said.

The tape contained in-store credit-card information on 650,000 retail customers, including those of J.C. Penney, he said. GE Money employees are also affected by the breach.
Please note, there are reports that 230 retailers lost information and JC Penny is just one of them.

Secure storage/information destruction businesses have seen explosive growth due to all the compliance regulations we've seen enacted in recent years.

Many of them, including Iron Mountain advertise state of the art physical security standards. I did take the time to watch the videos on this at the Iron Mountain site, and although they are impressive, the measures they take are pretty common at most secure buildings.

Secure buildings have been burglarized before.

I would also guess that even if external compromise was ruled out, it can be stolen by anyone who has been given access to it. Again, we are dealing with a commodity that is hard to inventory and can be reproduced (copied) in a lot of different ways.

Another point to reflect on is that a lot of this information is brought to these facilities to be destroyed. Since the information being destroyed isn't inventoried, it's probably impossible to go back and verify whether the information was actually destroyed.

My guess is that the biggest threat to information stored at these facilities are human beings, who make mistakes or can intentionally commit wrongdoing.

How valuable would a plant, or a recruit be to a identity theft gang in one of these facilities? My guess also is that as long as they were not very greedy, they could probably operate for a long time and never get caught.

Again, it is very hard to inventory information, which make theft detection difficult, also.

When watching Iron Mountain's security videos, they mention that they put their employees through extensive background tests. In today's world, with all the stolen identities and counterfeit documents available, the effectiveness of background checks is questionable, also.

To support this, I would point to the fact that millions of illegal immigrants seem to have no problem passing them.

Please note, I'm not worried about the illegal immigrants trying to make a better life for themselves. The problem is all the criminals, who hide in the camouflage the illegal immigration phenomenon provides.

So far as the people coming here to earn a decent living, they wouldn't be here if there weren't a lot of jobs available to them.

I don't want to pick on Iron Mountain too much. They aren't the only players in this growth industry. In fact, the security they provide is probably as good, or better than most of their competition.

The problem is that in actuality, they are just one more place information can be compromised. By their very nature these facilities are a point of consolidation for sensitive information. This makes them a lucrative target for those in the information theft business.

A wise man once said, the best way to protect information is to not store it in too many places in the first place. Unfortunately, as long as information is worth a lot of money, we will probably continue to ignore this sage advice.

The good news is that in this case, we know what information was stolen. This means that measures can be taken to prevent it from being used to commit crimes.

Computer World article by Robert McMillan, here.

1 comment:

Anonymous said...

I believe the "wise man" advise mentioned is the whole story. Data is being spread too much to too many players, and mostly for no reason. Is easy to hold merchants responsible for data they should not store on the first place.