Ameritrade, Bank of America and Time Warner - that had sent back-up tapes to off-site tape repositories. Alas, the tapes were sent out with the data unencrypted, the tapes were "misplaced" (or stolen), and as a result, information on a lot of unsuspecting people may have gotten into the wrong hands. This got a lot of response from my readers because for many of them, these events hit too close to home.
Consider the case of Antonio, a long-time correspondent of mine.
"A long time ago, I had 300 decks of playing cards printed with a product logo for a launch promotion. Because the cards were created at the last minute, I took them with me on the plane to Las Vegas.
"On landing, I used a luggage trolley to move them to a taxi stand along with my luggage. I placed them on the curb, and wheeled the trolley back inside the terminal. When I got back....the cards were gone, never to be seen by me again. "Was it a crime of opportunity or an inside job? It was not worth investigating, so it was not reported to the police.
"I realize data theft is growing in importance. The loss of 5 tapes is nothing to be trivialized. But was it a planned, premeditated theft to exploit the data? Or was it some punk who saw something that might be valuable and simply grabbed like a handbag sitting in an unlocked car?
"Either way, they're probably sitting in a trash can right now."
These last questions raise some interesting points.
Unencrypted data that leaves your primary storage facility is always going to be subject to some level of risk. It makes no difference whether a tape goes astray due to some employee's lackadaisical attitudes, administrative incompetence, or outright theft: you are likely to take the heat. And this is how it should be, because part of the continually-morphing responsibilities that form your job as a storage administrator are to minimize such risks to whatever degree possible.
No budget for this? There are still steps you can take, beginning with a review of all procedures involved in moving data from one site to another.
1. Draw a diagram illustrating every step required to move a tape from a drive to any other source.
2. Identify any instances where outside employees - contractors, people who work for other companies, etc. - are involved. What oversight do you have over outside employees? Are they bonded?
3. Review your own methods for moving data within the company. What oversight do you have over your own employees? Are non-IT employees involved? Are the tapes at any point left unattended?
4. Tighten up the system.
This is of course just a beginning. If you do have budget, look to the many vendors now providing encryption products and services. Computer Associates (http://www.ca.com), Decru (http://www.decru.com), Neoscale (http://www.neoscale.com) and Vormetric (http://www.vormetric.com) immediately come to mind. There are of course many others.
My friend Antonio lost some playing cards because he was a good guy and returned a luggage trolley in Las Vegas. What are you prepared to lose?