Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/18/2007
05:28 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

(Missing) Without A Trace: The IBM Tapes

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.Those tapes contain some data on some customer accounts, as well as personally identifying data on an unknown number of current and former IBM employees, such as their Social Security numbers, dates of employment, birth date, contact information, and work history.

For a company that sells its security expertise -- IBM is probably raking in big bucks as part of the team of security experts that is helping the TJX companies unravel the hack of the year -- this has to be an embarrassing admission: "We've lost some data, and we can't find it anywhere."

IBM won't say how many tapes, or how many employees have been notified. It did say the tapes were lost without a trace on Feb. 23, and that it started notifying employees in April. A company spokesman told the AP that some of the tapes were encrypted, but not all. The same spokesman declined to tell InformationWeek whether any of the tapes were encrypted, saying only that the tapes "had differing levels of protection."

So where are the tapes? Did they bounce out of the car of the subcontractor that was hauling them off to a storage facility? All IBM seems to know is that it can't find them. The company said it has posted an offer for an "unspecified" reward in several New York papers, which, so far, has failed to turn up the tapes. Maybe IBM should consider contacting a "Medium" to find those tapes -- can't hurt.

What could hurt, though, is the delay between finding out the tapes were missing and then notifying employees. "It took us a while to determine what was on the missing tapes, and then it took a while to line up the credit monitoring and to begin notifying people," said IBM spokesman Fred McNeese.

The first part I get -- of course they have to figure out what tapes were lost, and what was on them. But the second part, um, no. If it were me, and it was my data lurking in the weeds -- or worse -- I'd much rather IBM notified me first and then worried about lining up the credit monitoring. For one -- I can start to monitor my own credit immediately, thank you very much. For another, credit monitoring basically amounts to notification after the fact. You've already been defrauded. If they happen to realize it, they'll let yah know. Which is why these offers of free creditor monitoring for a year don't really amount to much. And that's why the sooner you know your data has been compromised or is a strong candidate for compromise, the sooner you can do what little you can do. For example, if it's credit cards, you can get them changed or canceled or frozen immediately. That could actually be useful if you get notified quickly enough, although it's the one thing no company ever seems willing to do.

Another curious issue -- you'd think a nightmare of a case like TJX (with total losses now pegged at $4.5 billion), where it seems some of the data wasn't encrypted, would raise a red flag, sound the alarm!, put every company on alert!, that "Gee, maybe we better check and see if our data is encrypted." And here's IBM working on that very case....

So if the lessons of TJX seem to have passed your IT department by, why not let IBM's lesson be your wake-up call? As hard it might be to track a computer intruder, it can be even harder to find physical data storage that is simply lost. Hmm, maybe while you're encrypting that data, you might want to consider installing some sort of tracking device. Works for pets, cell phones, and automobiles, why not tape drives and laptops?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.