Two Data Breaches To Tell Your Customers About
Last week, it was reported in the Vancouver Sun that the executive of a direct-marketing firm absconded with a computer backup tape containing the names and information of about 3.2 million customers as well as the credit card and bank information of more than 800,000 customers.
That same news organization also reported last week that inadequate security procedures at the Canadian Imperial Bank of Commerce means that more than 470,000 customers whose data was on a hard drive that disappeared two years ago can't be assured they won't be subject to fraud.
Both items point to the need to protect data, and to the ridiculously low priority that companies around the world place on protecting that data.
In the first case, the employee, who was vice president of IT at C-W Agencies in Vancouver, left the company in early November, the Vancouver Sun reported. After he left, the tape with the data was discovered missing.
The good news is that the data on the missing tape was encrypted. The bad news? The information and programs needed to decrypt the data were also on the tape.
Yikes!
In the second story, data was being transferred by the Canadian bank to a mutual fund company as part of a server consolidation project in December 2006. Because of the amount of data, the bank decided to send it via two hard drives—one by land, one by air—rather than send the data over an internal network.
Unfortunately, when the package sent by land courier containing the hard drive arrived, the drive was empty and no trace of tampering was found, the Vancouver Sun reported.
The bank suspects the data was not actually copied to the second disk but unfortunately has no way of knowing for sure, according to the Sun. And officials may never know for sure either, although the government has found no evidence of fraud based on the data.
Data security is not a Canadian issue. It is an issue that faces all of us, and one that can usually be mitigated with the use of available technologies and help from a local solution provider.
These two examples point out two of the most common security issues faced by anyone storing sensitive data.
In the first case, either there was no policy in place to prevent an employee from accessing data he would normally not be allowed to access, or the employee, a company executive, was able to circumvent policy. Either one is inexcusable.
As solution providers, you typically can't legally set security or storage policies for your customers. But you can make recommendations about what policies need to be set, how to set them, and what technologies may be available to help.
In the second case, the bank did not have the right systems in place to monitor data storage access. That again can also be covered with tools to monitor and audit data access, tools that you can take to customers.
Oh boy. Do I smell opportunities here? You bet!
You could start by taking copies of these two stories on your next customer call.
