The disappearance of a DaimlerChrysler Financial Services Canada Inc. data tape -- which contained customer names, addresses and social insurance numbers -- can serve as a strong warning for enterprise data protection, analysts say.
The auto giant's lending division recently told the Office of the Privacy Commissioner of Canada that sensitive personal information from thousands of Canadian auto customers had gone missing in transit from Farmington Hills, Mich. to a Quebec credit agency. The mainframe data tape, which was shipped via United Parcel Service Inc. (UPS), has been missing since early March."
A spokesperson for federal Privacy Commissioner Jennifer Stoddart told ComputerWorld Canada Wednesday that its office has received about 50 inquires from individuals that might have been affected by the data loss. The commissioner's office said it is still determining the next course of action.
"We're communicating to Chrysler directing to determine actually what took place and what's being done to remedy the situation," spokesperson Anne-Marie Hayden said. "I can't say for sure whether we've had a formal compliant from an individuals or not, but that may well take place in the future."
Hayden did not mention UPS specifically, but said the commissioner's office would be discussing the matter with all other relevant parties involved.
Chrysler Financial Services Canada could not be reached for comment at press time.
The case draws parallels to a major Canadian data loss incident last year, where CIBC's mutual fund subsidiary Talvest Mutual Funds lost a backup drive containing personal and financial data of 470,000 individuals while it was in transit between Montréal and Toronto. That data breach was also investigated by the Privacy Commissioner's office.
The major issue in both cases, according to one Canadian security observer, is the measures that these companies took before the data went missing in action. Info-Tech Research Group's James Quin said the loss of a generic backup data tape is not too concerning -- especially if it's only a slice of information from the server. But the Chrysler case, he said, presents an entirely different story.
"It was a discreet set of data, where there was one data pool that have been backed up onto this tape and sent out," Quin, senior research analyst with the London, Ont.-based research firm, said. "The beginning, middle and end of all the data was on this tape, which does make it more accessible. As long as you've got a tape reader, you will be about to get this information."
Even more concerning for Quin though, and what should serve as a warning sign for all enterprises, is the fact that Chrysler has not mentioned the magic 'e' word throughout this entire ordeal.
"At no point has a representative from Chrysler Financial come out and say that this tape was encrypted," he said. "Without definitively saying this, it indicates to me that it probably wasn't."
John Pescatore, vice president and distinguished analyst at Gartner Inc. agreed, saying that while most identity theft has not been linked to lost data tapes, companies can never be too careful when it comes to encryption.
"In cases where a laptop has been stolen or a backup tape is missing, companies have always been quick to say that their information was encrypted and no data was at risk," he said. "The bottom line nowadays is that all companies should be moving toward full encryption of their backup tapes."
IDC Canada's David Senf, director of security and software research, offered another viewpoint, saying that because most Canadian firms are not too worried about losing data in this way, they spend precious little resources in preventing the data loss from occurring in the first place.
"The top focus remains on endpoints and e-mail," Senf said. "The numbers vary by sector but on average, one out of every five firms is concerned with the loss of data from a drive or tape going missing. This is in comparison to four out of five companies concerned with preventing data loss from e-mail.
"IDC research finds that Canadian firms spend too much time trying to detect that a breach or loss of data has occurred rather than planning to prevent from happening in the first place," he added.
As for how companies can protect themselves from similar breaches in the first place -- especially since the data was lost by Chrysler's courier service -- Quin said enterprises will need to take every measure possible to keep data transports in-house. While it might be sufficient for noncritical data to be shipped by third parties, he said, transferring data covered by government regulations -- such as personal data -- should be done by employees if possible.
"The way an organization can ensure the highest level of security is to deliver it themselves and not off-load it to a third-party," he said. "Anytime you send information out of the enterprise, it's out of your control and you open yourself up to some risk. Maintaining control of your data in all its forms is really an enterprise best practice."
Pescatore disagreed, saying an employee would be just as likely to lose a package as a courier service would. His solution is for enterprises to further protect themselves by purchasing more insurance for shipped goods.
"You can get higher levels of insurance on any items you're sending, so if it's lost, stolen or damaged, you can get some financial payments back," he said. "It raises the cost of what you pay UPS or FedEx, but it's probably less expensive than having your own people do it."
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment