Zurich Financial Services, a major financial services group that specializes in Life and General Insurance, has admitted to losing a tape that was used for backup purposes, a loss that could potentially affect customers on three continents. It hasn't been revealed whether the tape drive encryption was used to protect the information on the missing tape.
The breach occurred in South Africa in August 2008, but was only discovered recently. The whereabouts of the tape are unknown, and the accounting firm KPMG was called in to carry out an investigation (which...is weird, in many ways. Why would you hire accountants to find out what happened on a logistics mishap?) What is known is that the tape went missing during a routine transfer from a Zurich office to a storage center in South Africa. Whether this means Zurich, the city in Switzerland, or a Zurich Financial Services office possibly somewhere in the vicinity of South Africa, I don't know. (I'm tempted to side with the latter, though. Otherwise, this is one company that's going the extra mile, and then some, in the name of data security...except, of course, they failed at it. At least, in this instance they did.) A total of 640,000 customers are affected: 51,000 UK insurance customers (personal details) 550,000 South African customers (bank and general insurance policy details) 40,000 Botswana customers (same as S. Africa) The South Africa numbers represent its entire customer base in that country according to the timesonline.co.uk. Depending on the records, the lost data may include personal contact information (addresses and phone numbers) and bank details (for processing payments). While it's still not known how the tape wound up missing, the company has admitted that its security in South African was lax.
The breach occurred in South Africa in August 2008, but was only discovered recently. The whereabouts of the tape are unknown, and the accounting firm KPMG was called in to carry out an investigation (which...is weird, in many ways. Why would you hire accountants to find out what happened on a logistics mishap?)
What is known is that the tape went missing during a routine transfer from a Zurich office to a storage center in South Africa. Whether this means Zurich, the city in Switzerland, or a Zurich Financial Services office possibly somewhere in the vicinity of South Africa, I don't know.
(I'm tempted to side with the latter, though. Otherwise, this is one company that's going the extra mile, and then some, in the name of data security...except, of course, they failed at it. At least, in this instance they did.)
A total of 640,000 customers are affected:
The South Africa numbers represent its entire customer base in that country according to the timesonline.co.uk.
Depending on the records, the lost data may include personal contact information (addresses and phone numbers) and bank details (for processing payments).
While it's still not known how the tape wound up missing, the company has admitted that its security in South African was lax.
The loss of a backup tape going missing is not an unprecedented development. Heck, sometimes they even go missing from secure storage, as GE found to its chagrin back in early 2008. In the above case, it would be like Zurich finding that their backup tape arrived safely at their South African depository, only to ascertain that it's nowhere to be found. When you consider that backup data must contain important information--why else would you back up the data, right?--it's astonishing that some companies will put every effort into protecting, say, laptop computers using disk encryption, but won't do the same for backup tapes. Why? I mean, if you think about it, a tape can hold many times the data found on a computer, not to mention it's as portable as it gets: it's smaller than a hand-held gaming device. There are, admittedly, problems in that certain tapes don't allow full encryption, so any data to be backed up must be protected with file encryption first, and then saved to tape. This introduces time delays, possibly long ones, when backing up data as well as when restoring it. But it certainly beats breaching the information of all of your customers in a country.
The loss of a backup tape going missing is not an unprecedented development. Heck, sometimes they even go missing from secure storage, as GE found to its chagrin back in early 2008. In the above case, it would be like Zurich finding that their backup tape arrived safely at their South African depository, only to ascertain that it's nowhere to be found.
When you consider that backup data must contain important information--why else would you back up the data, right?--it's astonishing that some companies will put every effort into protecting, say, laptop computers using disk encryption, but won't do the same for backup tapes.
Why? I mean, if you think about it, a tape can hold many times the data found on a computer, not to mention it's as portable as it gets: it's smaller than a hand-held gaming device.
There are, admittedly, problems in that certain tapes don't allow full encryption, so any data to be backed up must be protected with file encryption first, and then saved to tape. This introduces time delays, possibly long ones, when backing up data as well as when restoring it.
But it certainly beats breaching the information of all of your customers in a country.
Related Articles and Sites:http://www.telegraph.co.uk/finance/personalfinance/insurance/6406249/Insurer-Zurich-loses-customers-details.htmlhttp://news.bbc.co.uk/2/hi/business/8320290.stmhttp://business.timesonline.co.uk/tol/business/industry_sectors/banking_and_finance/article6885203.ecehttp://www.citywire.co.uk/adviser/-/news/other/content.aspx?ID=363740