Top 5 Data Losses

Most companies with any sort of IT infrastructure have got some sort of disaster recovery plan. Whether it be a set of tapes or CD’s or a redundant data centre, the idea of losing the company accounts on a hard drive that has become a paperweight is something that keeps IT managers awake at night. Fortunately, the total disaster is somewhat rare, and tails of data loss tend to have happy endings, but not always. Here are five calamities that have befallen poor hairless IT staff, and a few tips for those nervous about loosing their data.

(1). HMRC

To prove the far reaching and broad scope of data loss, you cannot get much worse than our own HM Government. The loss of 25 Million  child benefit records goes to show that your data needs not only to be secure in your data centres, but outside them as well.

On the 18th of October 2007, a junior official downloaded the records on to a CD at HMRC in the north east UK, and posted them to the National Audit Office in London. The CD never arrived. The CD contained names, bank account details, NI numbers, and addresses of people who were in receipt of child benefit. The CD was password protected, but not encrypted, and the data was vulnerable. The loss was so bad the Revenue and Customs chairman Paul Gray resigned, we even got an apology from Gordon Brown. Fancy that.

(2). The Alaska Department of Revenue.

Einstein once said, that there were two things that were infinite. One was the universe, the other is human stupidity, and he wasn’t sure about the former. The next tail is about a technician at the Alaska Department of Revenue who managed to wipe out an account worth $38 billion.

This poor chap reformatted a disk on the computer housing the data, and then managed to reformat the backup disk as well, deleting applicant information for an oil-funded account. There was no panic however, as they turned to the backup tapes, only to find that they too were unreadable. Consultants from Microsoft and Dell were called in to retrieve the data, but the nightmare was there to stay. Nine months worth of applicant information for the yearly payout from the Alaska Permanent Fund was gone.

(3). Journalspace.com

Data loss does not just stem from hardware failure. There is always the jilted ex-employee to worry about as well. Blogging platform Journalspace.com discovered this to their peril when an ex-employee overwrote the database. The decision was made by this fellow that RAID was the only backup that they would need, and indeed, their HTTP server managed to last the distance, but their SQL server lost the lot.

The consequence of these actions was that Journalspace went out like a light, and many people lost their posts and personal data. The silver lining to all of this was that some of the posts were recoverable from the Google cache. Happy days for those who had their posts readable by the Google bot, but not for those who had posts set to private.

(4). TK Maxx

The next example of data loss goes to the dark and murky world of the computer hacker. As those who shopped at TK Maxx in 2003 – 2004 may testify. In 2007, hackers got away with 45.7 million debit and credit card details over an 18 month period. The hackers were also able to get their mitts on 451,000 records containing names addresses and even driving licence details from people who had returned goods without a receipt. The data related to transactions made between 2003 and 2004, and the company warned that customers should be checking their bank statements for any unusual activity.

The hackers used a technique called War Driving. War Driving is the act of driving around looking for wireless networks with weak, or no encryption. Once such a network has been discovered, the attacker can “sniff” or intercept the data that is transmitted and save it to look at later. Because of the week encryption, the initial hack was not particularly difficult, and is possible with freely downloadable software.

(5). AOL

My last example of data loss is the enemy within. In 2004 a 24 year old software engineer at AOL managed to steal 92 million email addresses that he later sold to spammers. The addresses were used to send millions of unsolicited emails peddling plonker enhancement pills to the masses. Jason Smathers was also able to get his hands on other AOL member information, including telephone numbers, and Zip codes.

Smathers was eventually caught, after an informant tipped off the authorities and was  arrested in his home. Investigators uncovered instant messages and emails sent from Smathers’ computer that alluded to the sale of the stolen data. Though this type of data loss can be negated with checks and balances, it is still vulnerable to anyone who has access to the data. Even if you stop email and block up all the USB ports and DVD drives, the most cunning hacker can still use the most sly tool they have, the paper and pencil.

So what can we do to help stem the tide of leaking and disappearing data? Well In the case of human stupidity, we have little hope of finding a cure, but there are more practical things we can do. For example, both TK Maxx, and HM Government could both have done with better encryption, and any encryption respectively.

In TK Maxx’s case, and in the case of many people, stop using WEP. The problem being it’s weak. Move on to WPA or WPA2. Both of which offer substantially better protection for your wireless LAN than WEP does. Also choose a good password, or even a passphrase. In the case of a password, use at least 14 random characters for super security.

For sending extremely sensitive data out of the data centre, first, try using registered post, then apply encryption. Encrypting data need not be difficult, and for company’s there are many products on the market that can encrypt data so that it would take a supercomputer millennia to decipher. Encryption is not just for those who can afford it either, there are free utility’s like GnuPG, based on Philip Zimmermans PGP, that will do the honours splendidly.

Backups, backups, and more backups are all very well and good, but if that data is wiped by someone who has a version of typing tourettes, and can only knows the command “format C:”, then perhaps off site backups are the answer. There are many services out there like Dropbox, Data Backup Technology, Mozy etc. that can take care of those precious accounts for you, and restore them in case of human error.

Data theft from within the company is a little harder to nail down. Products are available that disallow the use of removable media, like CDs and USB sticks. Some software (like sophos)will also enforce encryption on USB hard drives and other types of removable media so that your civil servants employees will not leave readable data on trains and in taxis. It is also important to educate staff as to why giving their password away for a Creme Egg may be dangerous.

There are many threats that may compromise our data, but with a little common sense, most of them can be avioded. Perhaps if there is anyone with a tail of data loss woe, they could share it with us below. No prizes for the most data lost though!

Image sources:
stedmundsbury.gov.uk, datarecovery.com.sg, getsafeonlineblog.org, matitservices.co.uk, spam.com