For a company that sells its security expertise -- IBM is probably raking in big bucks as part of the team of security experts that is helping the TJX companies unravel the hack of the year -- this has to be an embarrassing admission: "We've lost some data, and we can't find it anywhere."
IBM won't say how many tapes, or how many employees have been notified. It did say the tapes were lost without a trace on Feb. 23, and that it started notifying employees in April. A company spokesman told the AP that some of the tapes were encrypted, but not all. The same spokesman declined to tell InformationWeek whether any of the tapes were encrypted, saying only that the tapes "had differing levels of protection."
So where are the tapes? Did they bounce out of the car of the subcontractor that was hauling them off to a storage facility? All IBM seems to know is that it can't find them. The company said it has posted an offer for an "unspecified" reward in several New York papers, which, so far, has failed to turn up the tapes. Maybe IBM should consider contacting a "Medium" to find those tapes -- can't hurt.
What could hurt, though, is the delay between finding out the tapes were missing and then notifying employees. "It took us a while to determine what was on the missing tapes, and then it took a while to line up the credit monitoring and to begin notifying people," said IBM spokesman Fred McNeese.
The first part I get -- of course they have to figure out what tapes were lost, and what was on them. But the second part, um, no. If it were me, and it was my data lurking in the weeds -- or worse -- I'd much rather IBM notified me first and then worried about lining up the credit monitoring. For one -- I can start to monitor my own credit immediately, thank you very much. For another, credit monitoring basically amounts to notification after the fact. You've already been defrauded. If they happen to realize it, they'll let yah know. Which is why these offers of free creditor monitoring for a year don't really amount to much. And that's why the sooner you know your data has been compromised or is a strong candidate for compromise, the sooner you can do what little you can do. For example, if it's credit cards, you can get them changed or canceled or frozen immediately. That could actually be useful if you get notified quickly enough, although it's the one thing no company ever seems willing to do.
Another curious issue -- you'd think a nightmare of a case like TJX (with total losses now pegged at $4.5 billion), where it seems some of the data wasn't encrypted, would raise a red flag, sound the alarm!, put every company on alert!, that "Gee, maybe we better check and see if our data is encrypted." And here's IBM working on that very case....
So if the lessons of TJX seem to have passed your IT department by, why not let IBM's lesson be your wake-up call? As hard it might be to track a computer intruder, it can be even harder to find physical data storage that is simply lost. Hmm, maybe while you're encrypting that data, you might want to consider installing some sort of tracking device. Works for pets, cell phones, and automobiles, why not tape drives and laptops?