Irreverence

posted on 25 April 2008 06:16

Was a backup tape stolen to order for identity theft purposes?
On April 3rd a backup tape was stolen from a courier's car in Bristol, England. It was en route to the local office of Medisure, the administrator of UK chemist (pharmamacy) chain Boots' Dental Plan insurance policy.
The tape contained records of 27,000 Dental Plan customers and 7,000 Boots employees, including names, addresses, and bank details; an identity thief's El Dorado.

The reactions of the various authorities concerned exhibited classic symptoms of denial and complacency.

The Bristol Police said it was an opportunistic theft and people, by inference, don't need to be worried. How would the Police know if it was opportunistic or not? If it was a planned theft then stealing the tape from a parked car would be a good idea.

If it was an opportunistic theft and the miscreant broke in to the car to remove a visible package inside it then the courier company is incompetent and should be fired by Medisure or Boots or whoever hired it. The company has not been named, so it can't be shamed.

Medisure said it was highly unlikely that the Dental Plan customers involvd need be concerned because specialist IT equipment would be needed to read the tapes. Give me a break. Specialist equipment like a backup tape drive and programme? The sort of kit that's available in thousands of computer rooms up and down the UK?

So-called 'specialist equipment' is needed to capture cash card details at an ATM. It happens everyday. The Police and banks don't tell us not to worry about that. I just don't buy this 'specialist equioment' guff.

All you need to know is the tape format (LTO, whatever) and the backup software and the tape's contents can be read. Apparently it wasn't encrypted.

It wsn't encrypted and it was transported by an incompetent courier. How silly and irresponsible is that in this day and age of identity theft?

Boots said it took the protection of its customers' data 'extremely seriously.' No, it did not. Telling the customers it has happened and having the FSA involved does not demonstrate extreme seriousness at all, just everyday practise.

The extreme of seriousness would have involved encrypting the tape's contents and transporting it in a secured vehicle, as cash is transported between banks in armoured vans. Customer data that can be used for identity theft is money in waiting and should be dealt with as such.

Any organisation sending un-encrypted customer data with the potential for identity theft should view the practice as completely unacceptable, whether it be by CD, thumb drive, hard drive in a laptop, or backup tape. That data should be encrypted. Ity is as simple as that. 

Ideally it should also be sent to its destination across a secure network link and not physically transported.

Boots and Medisure and the unidentified courier company have demonstrated complacency and carelessness and ought to be ashamed of themselves. They should change their working practices concerning customer information transfer and stewardship immediately.

PS. The University of Miami has also suffered a theft of tapes in transit which contained identity informations. Its tape transit method and its response to the theft puts Boots and Medisure into the shade and makes their complacent inactivity plain for everyone to see.

^{[Chris Mellor.]}