Commentary

Patricia Keefe
 

(Missing) Without A Trace: The IBM Tapes

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.

Did you read about the missing IBM Tapes? It's almost like another undecipherable episode from "Lost," except it's a car that may have crashed in this case, apparently, and it's tapes that got lost in the aftermath.Those tapes contain some data on some customer accounts, as well as personally identifying data on an unknown number of current and former IBM employees, such as their Social Security numbers, dates of employment, birth date, contact information, and work history.

For a company that sells its security expertise -- IBM is probably raking in big bucks as part of the team of security experts that is helping the TJX companies unravel the hack of the year -- this has to be an embarrassing admission: "We've lost some data, and we can't find it anywhere."


More Security Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>

IBM won't say how many tapes, or how many employees have been notified. It did say the tapes were lost without a trace on Feb. 23, and that it started notifying employees in April. A company spokesman told the AP that some of the tapes were encrypted, but not all. The same spokesman declined to tell InformationWeek whether any of the tapes were encrypted, saying only that the tapes "had differing levels of protection."

So where are the tapes? Did they bounce out of the car of the subcontractor that was hauling them off to a storage facility? All IBM seems to know is that it can't find them. The company said it has posted an offer for an "unspecified" reward in several New York papers, which, so far, has failed to turn up the tapes. Maybe IBM should consider contacting a "Medium" to find those tapes -- can't hurt.

What could hurt, though, is the delay between finding out the tapes were missing and then notifying employees. "It took us a while to determine what was on the missing tapes, and then it took a while to line up the credit monitoring and to begin notifying people," said IBM spokesman Fred McNeese.

The first part I get -- of course they have to figure out what tapes were lost, and what was on them. But the second part, um, no. If it were me, and it was my data lurking in the weeds -- or worse -- I'd much rather IBM notified me first and then worried about lining up the credit monitoring. For one -- I can start to monitor my own credit immediately, thank you very much. For another, credit monitoring basically amounts to notification after the fact. You've already been defrauded. If they happen to realize it, they'll let yah know. Which is why these offers of free creditor monitoring for a year don't really amount to much. And that's why the sooner you know your data has been compromised or is a strong candidate for compromise, the sooner you can do what little you can do. For example, if it's credit cards, you can get them changed or canceled or frozen immediately. That could actually be useful if you get notified quickly enough, although it's the one thing no company ever seems willing to do.

Another curious issue -- you'd think a nightmare of a case like TJX (with total losses now pegged at $4.5 billion), where it seems some of the data wasn't encrypted, would raise a red flag, sound the alarm!, put every company on alert!, that "Gee, maybe we better check and see if our data is encrypted." And here's IBM working on that very case....

So if the lessons of TJX seem to have passed your IT department by, why not let IBM's lesson be your wake-up call? As hard it might be to track a computer intruder, it can be even harder to find physical data storage that is simply lost. Hmm, maybe while you're encrypting that data, you might want to consider installing some sort of tracking device. Works for pets, cell phones, and automobiles, why not tape drives and laptops?


Related Reading




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
T-Shirt Giveaway T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting!
Subscribe to RSS

Resource Links