Latest incident: UPS loses Citigroup tapes with data on 3.9 million customers
Companies are scrambling to encrypt data on tapes shipped to off-site centers for archiving and disaster recovery, and they're taking other steps to avoid the kinds of data-loss incidents that have been a major source of embarrassment in recent months. Last week it was Citigroup's turn, as the bank revealed that a box of tapes containing information on 3.9 million customers was lost in transit.
Time Warner last month reported that tapes containing data on 600,000 current and former employees were lost while en route to an off-site data center operated by Iron Mountain Inc. In April, Ameritrade Inc. said it misplaced a backup tape containing data on 200,000 current and former customers. And in February, Bank of America disclosed the loss of tapes containing information on 1.2 million credit-card customers.
In the Citigroup incident, a box of unencrypted tapes shipped May 2 via UPS Inc. never arrived at its destination, an Experian credit bureau in Texas. The tapes contained names, Social Security numbers, account numbers, and payment histories of CitiFinancial customers. CitiFinancial provides personal, automobile, and home-equity loans, and information on customers with closed accounts from CitiFinancial Retail Services, which provides private-label credit cards for retailers.
UPS hasn't recovered the box but says there's no indication it was stolen. Citigroup has received no reports of unauthorized activity using the data. In July, Citigroup will begin sending data electronically in encrypted form.
Since losing its tapes, Bank of America has strengthened procedures for tracking tapes and is testing several encryption processes, a spokeswoman says. Since late last year, all of the bank's data transmissions to credit bureaus have been encrypted. The bank also is sending more data to backup sites electronically instead of on tape.
IT execs at other companies aren't taking chances. Transaction Network Services Inc., which provides network services to payment processors, is encrypting personal-account and credit-card information sent across its Synapse system, which provides payment services for merchants that use wireless devices, including taxi and limousine companies, towing services, and mobile concession stands. Transaction Network Services is installing DataSecure, a hardware appliance and encryption software from Ingrian Networks Inc., in its data centers to guard against data losses like Citigroup's, says Scott Ziegler, the company's chief systems officer, referring to the Citigroup incident.
New Castle Hotels & Resorts, which manages Hilton, Marriott, Sheraton, and Westin properties, plans to encrypt customer correspondence that's backed up on tape at each hotel and stored in a safe. "Some of those letters include personal information, and that's the kind of stuff you can get nailed on," says Al Zaccario, New Castle's director of hotel technology. The company is electronically backing up other sensitive data, such as payroll files, using technology from LiveVault Corp.
Despite the brouhaha over lost data, it will take banks time to make the changes needed to prevent such incidents, says Jacob Jegher, analyst with research firm Celent Communications. The practice of shipping tapes off-site is common and unlikely to disappear anytime soon. "We're looking at a redefinition of processes," he says. "Big banks have a lot of technology and processes which take time to change."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.