Thursday, June 09, 2005

Not As Reassuring As They Might Think

So now we hear CitiFinancial is dropping backup tapes after data loss. Perhaps they're thinking that this announcement, together with the repeated statement that it was UPS that lost the tapes, will somehow show they care: "CitiFinancial plans to begin encrypting data and sending it to credit bureaus electronically after data tapes containing the personal information of 3.9 million customers were lost by UPS." This report actually does three things.
  1. Confirms that the lost tapes were not encrypted.
  2. Confirms that Citi knows that the data really should have been encrypted in the first place.
  3. Suggests that sending the data electronically is somehow safer than using a courier.
Try telling #3 to U.S. spy agenices that routinely use couriers versus networks for really sensitive data transfers. And don't forget that one of the largest holders of data about you, dear reader, has suffered several "losses" despite using electronic transfer instead of tapes:
And don't miss the really scary part of Citi's statement: "We and other lenders provide this information each month to credit bureaus...via nationally recognized couriers and require them to use enhanced security procedures to transport the tapes from our data center to the bureaus."

So, like I said in my last posting, large numbers of unencrypted tapes full of your financial details have been flying around the country for years. Untold numbers have likely gone missing, after all, if this was an isolated incident, Citi would be the first to defend their practice of using UPS by saying "This is the first time this has ever happened." It is only the new notification laws that are finally shedding light on this sad state of affairs.

Stephen

No comments: