Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:28 PM
Patricia Keefe
Patricia Keefe

(Missing) Without A Trace: The IBM Tapes

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.Those tapes contain some data on some customer accounts, as well as personally identifying data on an unknown number of current and former IBM employees, such as their Social Security numbers, dates of employment, birth date, contact information, and work history.

For a company that sells its security expertise -- IBM is probably raking in big bucks as part of the team of security experts that is helping the TJX companies unravel the hack of the year -- this has to be an embarrassing admission: "We've lost some data, and we can't find it anywhere."

IBM won't say how many tapes, or how many employees have been notified. It did say the tapes were lost without a trace on Feb. 23, and that it started notifying employees in April. A company spokesman told the AP that some of the tapes were encrypted, but not all. The same spokesman declined to tell InformationWeek whether any of the tapes were encrypted, saying only that the tapes "had differing levels of protection."

So where are the tapes? Did they bounce out of the car of the subcontractor that was hauling them off to a storage facility? All IBM seems to know is that it can't find them. The company said it has posted an offer for an "unspecified" reward in several New York papers, which, so far, has failed to turn up the tapes. Maybe IBM should consider contacting a "Medium" to find those tapes -- can't hurt.

What could hurt, though, is the delay between finding out the tapes were missing and then notifying employees. "It took us a while to determine what was on the missing tapes, and then it took a while to line up the credit monitoring and to begin notifying people," said IBM spokesman Fred McNeese.

The first part I get -- of course they have to figure out what tapes were lost, and what was on them. But the second part, um, no. If it were me, and it was my data lurking in the weeds -- or worse -- I'd much rather IBM notified me first and then worried about lining up the credit monitoring. For one -- I can start to monitor my own credit immediately, thank you very much. For another, credit monitoring basically amounts to notification after the fact. You've already been defrauded. If they happen to realize it, they'll let yah know. Which is why these offers of free creditor monitoring for a year don't really amount to much. And that's why the sooner you know your data has been compromised or is a strong candidate for compromise, the sooner you can do what little you can do. For example, if it's credit cards, you can get them changed or canceled or frozen immediately. That could actually be useful if you get notified quickly enough, although it's the one thing no company ever seems willing to do.

Another curious issue -- you'd think a nightmare of a case like TJX (with total losses now pegged at $4.5 billion), where it seems some of the data wasn't encrypted, would raise a red flag, sound the alarm!, put every company on alert!, that "Gee, maybe we better check and see if our data is encrypted." And here's IBM working on that very case....

So if the lessons of TJX seem to have passed your IT department by, why not let IBM's lesson be your wake-up call? As hard it might be to track a computer intruder, it can be even harder to find physical data storage that is simply lost. Hmm, maybe while you're encrypting that data, you might want to consider installing some sort of tracking device. Works for pets, cell phones, and automobiles, why not tape drives and laptops?


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.