Data security 1.2 million card hacked

Bank's Tape Loss Puts Spotlight on Backup Practices

February 28, 2005
By Paul Shread (from Enterprisestorageforum.com website)

Bank of America's admission on Friday that the company lost data tapes containing federal workers' customer and account information will likely bring renewed attention to data security issues.

The bank confirmed that "a small number of computer data tapes were lost during shipment to a backup data center. The missing tapes contained U.S. federal government charge card program customer and account information."

The Washington Post reported that the lost data tapes included personal information on 1.2 million federal employees, among them Sen. Patrick Leahy (D-Vt.).

Bank of America said it notified federal law enforcement officials, and added that "the investigation to date has found no evidence to suggest the tapes or their content have been accessed or misused, and the tapes are now presumed lost. Government cardholder accounts included on the data tapes have been and will continue to be monitored by Bank of America, and government cardholders will be contacted should any unusual activity be detected. No unusual activity has been observed to date."

On top of a recent disclosure that data warehouser ChoicePoint had compromised the personal data of 140,000 consumers, the Bank of America admission will likely bring renewed scrutiny of data security and backup processes.

"Very few people encrypt backup tapes, which means that they rely on the security of the backup and off-site rotation process," said Jon Oltsik, senior analyst for information security at Enterprise Strategy Group. "Here's a clear example of the risks of doing this."

The result will likely be a jump in business for companies that encrypt data, Oltsik told Enterprise Storage Forum. "I expect that the phones will be ringing at Decru, Kasten-Chase and Neoscale on Monday," he said.

The recent data security breaches are likely to bring renewed attention to efforts by Sen. Dianne Feinstein (D-Calif.) to craft national identity theft legislation expanding on California's Database Breach Act, or state law SB 1386, which requires state agencies and businesses that collect personal information from California customers to promptly disclose security breaches or face severe penalties. The California law exempts encrypted data.

Feinstein reiterated her call for such national legislation last week after the ChoicePoint disclosure.