Information by it’s very nature is hard to inventory. Let’s face it, it isn’t cash or precious gems and it can be copied in a LOT of different ways.
This fact also gives the entity losing it a lot of deniability. Most of the time, it’s impossible to be 100 percent sure what happened to any information discovered missing.
Could a tape gone missing at a secure storage facility owned by Iron Mountain containing 650,000 customer files reveal that these facilities provide us with a false sense of security?
Robert McMillian at Computer World is reporting the latest information on this story:
A backup tape containing credit-card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud.
GE Money, which manages in-store credit-card programs for the majority of U.S. retailers, first realized that the tape was missing from an Iron Mountain secure storage facility in October, said Richard Jones, a company spokesman. “We were informed that one of the tapes could not be located. But at the same time there was no record of it ever having been checked out,” he said.
The tape contained in-store credit-card information on 650,000 retail customers, including those of J.C. Penney, he said. GE Money employees are also affected by the breach.
Please note, there are reports that 230 retailers lost information and JC Penny is just one of them.
Secure storage/information destruction businesses have seen explosive growth due to all the compliance regulations we’ve seen enacted in recent years.
Many of them, including Iron Mountain advertise state of the art physical security standards. I did take the time to watch the videos on this at the Iron Mountain site, and although they are impressive, the measures they take are pretty common at most secure buildings.
Secure buildings have been burglarized before.
I would also guess that even if external compromise was ruled out, it can be stolen by anyone who has been given access to it. Again, we are dealing with a commodity that is hard to inventory and can be reproduced (copied) in a lot of different ways.
Another point to reflect on is that a lot of this information is brought to these facilities to be destroyed. Since the information being destroyed isn’t inventoried, it’s probably impossible to go back and verify whether the information was actually destroyed.
My guess is that the biggest threat to information stored at these facilities are human beings, who make mistakes or can intentionally commit wrongdoing.
How valuable would a plant, or a recruit be to a identity theft gang in one of these facilities? My guess also is that as long as they were not very greedy, they could probably operate for a long time and never get caught.
Again, it is very hard to inventory information, which make theft detection difficult, also.
When watching Iron Mountain’s security videos, they mention that they put their employees through extensive background tests. In today’s world, with all the stolen identities and counterfeit documents available, the effectiveness of background checks is questionable, also.
To support this, I would point to the fact that millions of illegal immigrants seem to have no problem passing them.
Please note, I’m not worried about the illegal immigrants trying to make a better life for themselves. The problem is all the criminals, who hide in the camouflage the illegal immigration phenomenon provides.
So far as the people coming here to earn a decent living, they wouldn’t be here if there weren’t a lot of jobs available to them.
I don’t want to pick on Iron Mountain too much. They aren’t the only players in this growth industry. In fact, the security they provide is probably as good, or better than most of their competition.
The problem is that in actuality, they are just one more place information can be compromised. By their very nature these facilities are a point of consolidation for sensitive information. This makes them a lucrative target for those in the information theft business.
A wise man once said, the best way to protect information is to not store it in too many places in the first place. Unfortunately, as long as information is worth a lot of money, we will probably continue to ignore this sage advice.
The good news is that in this case, we know what information was stolen. This means that measures can be taken to prevent it from being used to commit crimes.
Computer World article by Robert McMillan, here.
1 user commented in " Do secure storage/destruction facilities really protect information from theft? "
Follow-up comment rss or Leave a TrackbackThis is a very interested article. I’ve often wondered where are the stolen tapes and laptops with massive amounts of senstive information end up. Thrown away perhaps? Or maybe the thieves are lying in wait for the smoke to clear before they slowing use the information — staying under the radar.
There are so many of these thefts happening that is it going to be difficult to determine where the theft originated. There is a lot of cross-pollination of thefts occuring which compounds the problem for consumers and employees. Sometime consumers receive several breach announcement letters in one week. So when a use of this information surfaces, the consumer will be hard pressed to determine what company or government agency is responsible.
You hit the nail on the head when you talk about the number of data storgage facilities contain massive amounts of data. You were also right in speaking to the issue of background checks. I always say, background checks are only valuable in reporting what has happened in the past and not what a person will do today or in the future.
Employees (temporary and permanent) with no red flags in their past are EXACTLY the individuals crime rings recruit with monetary enticements. The more desperate people get for money, the more inside theft will occur. The longer companies go not providing proper employee identity theft education, the more susceptible to insider theft.
IDTELi is trying hard to get this message out and we are finding companies of all sizes are reluctant to invest time and resources into developing comprehensive identity theft education. Many companies are opting to pass out information in newsletters, e-mails and free workshops but have no way to determine if their audience has even read or heard the information.
Until companies adopt sound education program and develop “accountability” programs, it is unlikely we’ll see a decline in lost and stolen information.
Leave A Reply