Citi unencrypted tapes "go missing" with confidential customer info

[doc_strange]

Yet another financial manages to have "go missing" a tape-set full of "Social Security numbers, names, account history and loan information about retail customers, and former customers" -- this time from a division of Citi; the tapes were bound for Experian. They didn't make it.

Read about it on CNN.

A number of other financials have also reported missing tapes. Makes you wonder whether these are "coincidental" losses. Two possibilities: things have been sloppy all along and new audit rules are finding out; and/or there's a targeted effort to nail [backup] copies of this financial data.

Mind, I think the REAL issue is that this petty data is all it takes to compromise someone's financial LIFE... but that's a rant for another day.

Comments

[marsgov.livejournal.com]

Let me go a bit further than that: all the information, these financial histories, were going to be placed in huge databases and sold to data mining corporations.

I have to wonder if it's better that the data were stolen instead.

[docstrange.livejournal.com]

A Robin Hood or just a hood. One must wonder, yes. Personally, I vote "hood" since they can just do another dump and send to Experian.

[marsgov.livejournal.com]

Well, yes, for rhetorical reasons I carefully avoided the obvious, that the tapes would simply be sent again.

But the thieves seem to be performing an important public service at this point; they're highlighting not only the lack of security, but the proliferation of data.

[liana]

Considering how much data has been exposed lately, let's hope that someone gets the hint Real Soon Now.

[docstrange.livejournal.com]

I have to agree with that (and tezliana) -- whether there are thieves or not. You know I more or less agree on your point that liability needs to shift onto the lender. Then the nature of the data will matter less than its evidentiary value.

[holzman.livejournal.com]

I'm speculating that things have been sloppy all along. Damn few people encrypt their backups.

[cosinejeremiah.livejournal.com]

I've never seen anyone encrypt their backups. It cannot possibly be hard to run things through PGP/GPG, since encryption can be automatic and decryption can require a passphrase.

Oh, these tapes need to go to Experian? Use their public key instead of ours this time.

Ouch! My head hurt from the complexity of figuring this out!

[docstrange.livejournal.com]

Veritas makes it as easy as flipping a flag to kick the tape dump into DES with a static key, which would make the cracking effort outweigh the value of recovery. I believe now you can also kick on 128-AES which while theoretically breakable some day in the future given the right hooks, is well beyond reasonable cost justification for the data. A question becomes how much it slows down writing the tapes.

These probably were not backups, though. They were sent TO Experian. Experian is a data warehouse for financial data, not a backup storage facility. Still leaves open the question of why no crypto.

But there are bigger questions -- like what kind of screwy system makes this low-threshold data the keys to the kingdom.