Different River

”You can never step in the same river twice.” –Heraclitus

June 7, 2005

Physical Information Security

Filed under: — Different River @ 2:28 am

Information security professionals put a lot of effort into securing electronic access to, and transmissions of, sensitive data. They require passwords and other forms of authentication to determine whether access is permitted, and encryption when data is transmitted, to prevent it from being read by the wrong people.

But all the “information security” in the world is worthless if you can’t guarantee the physical security of the device(s) that store (or use) the data in its unencrypted form.

This point has been brought home today by the revelation that a box of data tapes containing information on 3.9 million CitiGroup customers was lost by United Parcel Service. Basically, the UPS guy picked up a shipment of several boxes of data tapes being sent from CitiGroup to te credit reporting agency Experian, and one of the tapes never made it. UPS has no idea where it is. It’s completely lost. (UPS has taken responsibility for the loss.)

Or is it? My guess is that while UPS ships millions, maybe billions of packages and no doubt loses lots of them, that the percentage of packages lost is miniscule. The percentage of packages containing sensitive consumer financial data is even more miniscule. If these guesses are both true, then the probability that a box containing sensitive consumer financial data is lost is vanishingly small — suggesting that, perhaps, it was stolen rather than lost.

However, this commenter on the Slashdot posting on this story suggest that perhaps my guess is wrong. He claims that “at least” 0.1% (that is, 1 in 1,000) of all packages are lost or damaged by UPS. If that’s true, it’s really a huge number of losses if you think about it. And it suggests that CitiGroup and Experian should not have been communicating using unencrypted data tapes sent through UPS — no matter how willing UPS is to “take responsibility.”

One Response to “Physical Information Security”

  1. Dave Schuler Says:

    Precisely how does that pass the security audit that’s being required of publicly-held companies?

Leave a Reply