Zurich Insurance promises changes after data loss Zurich Insurance has promised to improve its information security after losing personal financial information on 46,000 British clients through careless handling of unencrypted backup tapes. The back-up tape, which also contained personal details of 1,800 third party insurance claimants from the UK, was lost by Zurich's South …
IT techies like us say to the upper bods: "You know, this stuff should be encrypted, if it fell into the wrong hands could spell disaster!"
Management: "Well how much will this encrypting thingy cost?"
IT Techie: "Well it could be X thousands up front but the peace of mind of..."
Management: "How much?! Sorry, maybe next year's budget, but with no obvious value for money, sorry but no!"
Big-time FAIL, I agree..but lots of IT (especially support teams) are anti-encryption (I'm in the InfoSec area and have a very hard time over this).
Their business is getting things up and running again, and any risk of failing to restore (or delay in restoring) systems or data due to encryption and key management is a big no-no (time is money). Sad fact but unfortunately true. Funny thing is, when it's the IT team's personal data at risk then their objections go out of the window.
It's harder than you think to convince people about secure practices, even though obvious to the likes of us.
Because manglement is on their backs for using too much time to restore service. And they can get away with it because InfoSec is not going for manglement's throat when something goes wrong. Probably because InfoSec doesn't have the clout they need to actually tear out a throat or two as and when needed. So start complaining at the CEO or board, then get back to us when they're ready to shell out for the necessary procedures.
You get what you pay for...
All backup tapes would be encrypted. But in the real world, it costs money and (perhaps more important) takes extra time, when many organisations struggle to fit their backup process into the time slots that are available.
The downside of unencrypted tapes is really the bad publicity if (when) they're lost - as in this case. It's overwhelmingly more likely that it's been misfiled in transit than that it's fallen into the hands of some devilish gang of identity thieves with access to an LTO tape reader - and if it's just one tape from a series, it may well be difficult to reconstruct the data it contains in any meaningful way.
By "was lost by Zurich's South African sister company during what was described as a routine transfer to a data storage facility in South Africa " I take it they mean that their offsite vault supplier lost the tapes for them...
Re: Tape encryption - We don't know when these tapes were written, it may have been years ago and only came to light when the tapes weren't returned to site - good, fast tape encryption has only really been available in the last five or so years. It is very expensive, it is also very complicated to implement a global key management infrastructure to handle key distribution and ageing. I would expect to see more 'we can't get your data back' stories as tape encryption becomes cheaper and more people implement without knowing exactly what they're doing.
Cant be a M$ run company then, they don't bother with backups.
We use double SSL encryption which make everything automatically encrypted before any data is written to disk. If the data were after transfer to fall into the wrong hands due to an accident, we are sure the data is safe ... so long as they did not also have access to the originating server.
And then during a backup the data is encrypted again with different keys. Its not great issue to decrypt or encrypt in real-time if its planned in from the outset. Its just another step in the whole process.
If there is no penalty other than having to 'promise not to do it again', then no company will *ever* proactively secure anything. They'll wait until something gets lost, then promise not to do it again.
Just like Health and Safety, *nothing will change until there are consequences for breaches*
The only reason for the UK's currently excellent record on workplace safety is because doing nothing costs too much when there is an accident - and has the potential to be really expensive even without an accident.
Yet not bothering with Data Protection costs nothing at all, even when massive breaches happen!
I think losing customer data can be a good thing (if done enough).
Citibank for instance whom I have been an account holder of most of my life has sent me several letters through the years telling me through their careless activity they lost confidential customer information to an unknown amount of clients.
These are all snail mailed letters that can be confirmed by Citi with a phone call. They've done this enough that when you see the letter come in you know what it is.......
But theres a light at the end of that tunnel. They always seem to have some "free" credit monitoring program open to you "for a limited amount of time" since Citi knows that identity thieves usually don't try to steal the identity of people after so much time.
They know it better then we all do, that's why they continue to lose customer data and make money on the backend by those taking advantage of these credit monitoring programs. It's only free for a limited time then you pay and Citi gets paid.
I say to Zurich, follow Citis lead, maybe you can get 25 billion from our government as well.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
