Data loss stories are deliberate misdirection

Stephen Withers
Tuesday, 25 August 2009 10:14

Business IT - Security

When an organisation claims media containing sensitive data was lost in transit, it's probably telling porkies. A data security expert says that's often just a cover story.

When companies and other organisations are forced to admit to "data indiscretions" (events where data that should have been kept secure has been allowed to reach the outside world) they'll often claim that 'a tape fell of the back of a truck' or 'a CD was lost in the post'.

According to Eric Hibbard, a member of the SNIA technical council and CTO for security and privacy at Hitachi Data Systems, that's typically just a cover up.

Hibbard told iTWire that organisations will sometimes talk to him about such incidents when they won't provide details to the authorities.

And the story released to the public is often not what really happened.

"It [the loss of media] is a problem... but in serious breaches, attackers got at data where it resides," he said.

US law requires organisations to disclose that data has been compromised, but they don't have to say how it happened.

Manufacturers of removable media are concerned about this tendency, he says, as it casts them in a bad light. Most tape manufacturers use an embedded encryption system, so the likelihood of data being recovered from a lost or stolen cartridge is slight.