Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/18/2007
05:28 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

(Missing) Without A Trace: The IBM Tapes

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.Those tapes contain some data on some customer accounts, as well as personally identifying data on an unknown number of current and former IBM employees, such as their Social Security numbers, dates of employment, birth date, contact information, and work history.

For a company that sells its security expertise -- IBM is probably raking in big bucks as part of the team of security experts that is helping the TJX companies unravel the hack of the year -- this has to be an embarrassing admission: "We've lost some data, and we can't find it anywhere."

IBM won't say how many tapes, or how many employees have been notified. It did say the tapes were lost without a trace on Feb. 23, and that it started notifying employees in April. A company spokesman told the AP that some of the tapes were encrypted, but not all. The same spokesman declined to tell InformationWeek whether any of the tapes were encrypted, saying only that the tapes "had differing levels of protection."

So where are the tapes? Did they bounce out of the car of the subcontractor that was hauling them off to a storage facility? All IBM seems to know is that it can't find them. The company said it has posted an offer for an "unspecified" reward in several New York papers, which, so far, has failed to turn up the tapes. Maybe IBM should consider contacting a "Medium" to find those tapes -- can't hurt.

What could hurt, though, is the delay between finding out the tapes were missing and then notifying employees. "It took us a while to determine what was on the missing tapes, and then it took a while to line up the credit monitoring and to begin notifying people," said IBM spokesman Fred McNeese.

The first part I get -- of course they have to figure out what tapes were lost, and what was on them. But the second part, um, no. If it were me, and it was my data lurking in the weeds -- or worse -- I'd much rather IBM notified me first and then worried about lining up the credit monitoring. For one -- I can start to monitor my own credit immediately, thank you very much. For another, credit monitoring basically amounts to notification after the fact. You've already been defrauded. If they happen to realize it, they'll let yah know. Which is why these offers of free creditor monitoring for a year don't really amount to much. And that's why the sooner you know your data has been compromised or is a strong candidate for compromise, the sooner you can do what little you can do. For example, if it's credit cards, you can get them changed or canceled or frozen immediately. That could actually be useful if you get notified quickly enough, although it's the one thing no company ever seems willing to do.

Another curious issue -- you'd think a nightmare of a case like TJX (with total losses now pegged at $4.5 billion), where it seems some of the data wasn't encrypted, would raise a red flag, sound the alarm!, put every company on alert!, that "Gee, maybe we better check and see if our data is encrypted." And here's IBM working on that very case....

So if the lessons of TJX seem to have passed your IT department by, why not let IBM's lesson be your wake-up call? As hard it might be to track a computer intruder, it can be even harder to find physical data storage that is simply lost. Hmm, maybe while you're encrypting that data, you might want to consider installing some sort of tracking device. Works for pets, cell phones, and automobiles, why not tape drives and laptops?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...