Do You Know Where Your Backup Tape is Today?
Now financial institutions have the same hesitation when asked, "Do you know where your backup tapes are?" There are a few hard and fast rules about what you're "supposed" to do for your financial institution. Having a belt and suspenders approach to information security is one of them. Knowing where that set of suspenders is located (we're talking about back up tapes) is important.
The recent news from Bank of New York Mellon and the missing back up tape with 4.5 million customers' information on it wasn't one that anyone would want to announce. The bank says the archival service it employs was delivering a box of tapes to the storage facility. That one tape (unencrypted) was missing when the box got to the facility.
Do you know where your backup tapes are?
I'll hope that the tape is somewhere in the land of lost tapes for Bank of New York Mellon's sake. When listening to the story and the outrage it is sparking from such notable persons as Connecticut Attorney General Richard Blumenthal, I have to ask the simple question, "Why wasn't the tape encrypted before it was sent out to the storage facility?"
Yes, I'll grant that the chances of someone having the technical ability to mount the tape and read the customer account info and social security numbers and all the other treasure trove of information on that tape is less likely than it is sitting on a shelf somewhere gathering dust. But consider this, what if a person has possession of the tape and finds out how to get the information off of it? The picture in my mind's eye isn't very bright for those 4.5 million bank customers, or the amount of customer confidence in Bank of New York Mellon.
While Bank of New York Mellon works to notify the customers whose information was on this tape and further investigate where it might be, it is a time for others that hold the "keys to the kingdom" or the "golden treasure trove" to reflect on what they're doing to protect their customers' information. Do you encrypt your institution's backup tapes? Or maybe the question should be -- why aren't you encrypting your backup tapes?