doc_strange: (Default)
doc_strange ([personal profile] doc_strange) wrote2005-06-06 09:08 pm
  • Add Memory
  • Share This Entry
  • Current Mood: pensive
  • Current Music: Whirrrrrrrrrrrrrrrrrrrrrrrrrr

Citi unencrypted tapes "go missing" with confidential customer info

Yet another financial manages to have "go missing" a tape-set full of "Social Security numbers, names, account history and loan information about retail customers, and former customers" -- this time from a division of Citi; the tapes were bound for Experian. They didn't make it.

Read about it on CNN.

A number of other financials have also reported missing tapes. Makes you wonder whether these are "coincidental" losses. Two possibilities: things have been sloppy all along and new audit rules are finding out; and/or there's a targeted effort to nail [backup] copies of this financial data.

Mind, I think the REAL issue is that this petty data is all it takes to compromise someone's financial LIFE... but that's a rant for another day.
Flat | Top-Level Comments Only

[identity profile] marsgov.livejournal.com 2005-06-07 02:23 am (UTC)(link)
Let me go a bit further than that: all the information, these financial histories, were going to be placed in huge databases and sold to data mining corporations.

I have to wonder if it's better that the data were stolen instead.

[identity profile] docstrange.livejournal.com 2005-06-07 02:25 am (UTC)(link)
A Robin Hood or just a hood. One must wonder, yes. Personally, I vote "hood" since they can just do another dump and send to Experian.

[identity profile] marsgov.livejournal.com 2005-06-07 02:29 am (UTC)(link)
Well, yes, for rhetorical reasons I carefully avoided the obvious, that the tapes would simply be sent again.

But the thieves seem to be performing an important public service at this point; they're highlighting not only the lack of security, but the proliferation of data.
liana: Teaberry plant in snow (Default)

[personal profile] liana 2005-06-07 02:43 am (UTC)(link)
Considering how much data has been exposed lately, let's hope that someone gets the hint Real Soon Now.

[identity profile] docstrange.livejournal.com 2005-06-07 02:53 am (UTC)(link)
I have to agree with that (and [livejournal.com profile] tezliana) -- whether there are thieves or not. You know I more or less agree on your point that liability needs to shift onto the lender. Then the nature of the data will matter less than its evidentiary value.

[identity profile] holzman.livejournal.com 2005-06-07 01:54 pm (UTC)(link)
I'm speculating that things have been sloppy all along. Damn few people encrypt their backups.

[identity profile] cosinejeremiah.livejournal.com 2005-06-07 07:09 pm (UTC)(link)
I've never seen anyone encrypt their backups. It cannot possibly be hard to run things through PGP/GPG, since encryption can be automatic and decryption can require a passphrase.

Oh, these tapes need to go to Experian? Use their public key instead of ours this time.

Ouch! My head hurt from the complexity of figuring this out!

[identity profile] docstrange.livejournal.com 2005-06-08 03:25 am (UTC)(link)
Veritas makes it as easy as flipping a flag to kick the tape dump into DES with a static key, which would make the cracking effort outweigh the value of recovery. I believe now you can also kick on 128-AES which while theoretically breakable some day in the future given the right hooks, is well beyond reasonable cost justification for the data. A question becomes how much it slows down writing the tapes.

These probably were not backups, though. They were sent TO Experian. Experian is a data warehouse for financial data, not a backup storage facility. Still leaves open the question of why no crypto.

But there are bigger questions -- like what kind of screwy system makes this low-threshold data the keys to the kingdom.
Flat | Top-Level Comments Only