Citi unencrypted tapes "go missing" with confidential customer info

[doc_strange]

Yet another financial manages to have "go missing" a tape-set full of "Social Security numbers, names, account history and loan information about retail customers, and former customers" -- this time from a division of Citi; the tapes were bound for Experian. They didn't make it.

Read about it on CNN.

A number of other financials have also reported missing tapes. Makes you wonder whether these are "coincidental" losses. Two possibilities: things have been sloppy all along and new audit rules are finding out; and/or there's a targeted effort to nail [backup] copies of this financial data.

Mind, I think the REAL issue is that this petty data is all it takes to compromise someone's financial LIFE... but that's a rant for another day.

Comments

[cosinejeremiah.livejournal.com]

I've never seen anyone encrypt their backups. It cannot possibly be hard to run things through PGP/GPG, since encryption can be automatic and decryption can require a passphrase.

Oh, these tapes need to go to Experian? Use their public key instead of ours this time.

Ouch! My head hurt from the complexity of figuring this out!

[docstrange.livejournal.com]

Veritas makes it as easy as flipping a flag to kick the tape dump into DES with a static key, which would make the cracking effort outweigh the value of recovery. I believe now you can also kick on 128-AES which while theoretically breakable some day in the future given the right hooks, is well beyond reasonable cost justification for the data. A question becomes how much it slows down writing the tapes.

These probably were not backups, though. They were sent TO Experian. Experian is a data warehouse for financial data, not a backup storage facility. Still leaves open the question of why no crypto.

But there are bigger questions -- like what kind of screwy system makes this low-threshold data the keys to the kingdom.