Cattles' lost backup tapes highlight risk of unencrypted data storage

Cattles Group lost backup tapes containing 1.4 million unencrypted customer records. The incident highlights the risks of removable storage.

Information security experts say the loss of customers' personal records by a Yorkshire-based finance company highlights the dangers of storing data on unencrypted tapes.

Simply put, data left lying around on tape is an easy target for thieves.

Eoin Blacklock

The Cattles Group, which specialises in personal loans and debt recovery, admitted losing two backup tapes containing information about 1.4 million customers. Although the loss took place at the end of November, the company has only recently written to customers informing them of the breach. It has also informed the Information Commission’s Office and the Financial Services Authority.

Details of the loss
According to a company statement, the tapes contained the names and addresses of 1.4 million customers; 600,000 of those records also contained customers’ date of birth and payment history, data that could be easily exploited by fraudsters for identity theft. The tapes also held data from Cattles Group’s human resources department about staff working for the Cattles Group since October 2010.

The company said that, although it had no evidence the tapes had fallen into the wrong hands, it was informing all those affected.

The incident raises the question of why so many companies are still backing up data onto tapes without encryption, when other potentially more secure methods, such as cloud-based services or remote backup centers, are available.

According to research by published in June 2011, tape continues to be widely used as a backup medium, and shows no sign of declining. Furthermore, research by found only 22% of companies have deployed data encryption.

This despite several notable data breach or loss events involving tapes or portable media, perhaps the most notorious being the loss of CDs by HMRC that contained 25 million child care records in 2007. 

Reaction from security professionals
“This incident should serve as a warning to other businesses that are still reliant on tape for backing up sensitive data,” said Eoin Blacklock, managing director at KeepItSafe, a data backup service run by j2 Global, which has its European headquarters in Dublin. “Simply put, data left lying around on tape is an easy target for thieves.”

Security professionals said the case demonstrated a lack of the most basic security measures. “There isn’t really any excuse not to encrypt backups. Encryption is now standard on most current versions of backup software, and certainly on all the commonly used applications,” said Neil O’Connor, managing director of Hampshire-based consultancy Activity Information Management. “Encryption is certainly something we always recommend from a risk assessment – and even more so if you are handling lots of personal information.”

O’Connor said organisations often fail to encrypt because of inertia, or because they fail to perform adequate risk assessments.

Although some organisations might be attracted to backing up information to the cloud, O’Connor warned this could breach Principle 8 of the Data Protection Act (DPA), which prevents the transfer of data outside the European Economic Area (EEA) without proper protection. “If you don’t know where the data is being stored it may be out of the EEA and subject to local laws that do not adequately support the DPA,” O’Connor said.  “You can get around this by encrypting the data locally before you back it up into the cloud.”

Brian Shorten, head of information risk for the charity Cancer Research UK, said magnetic tape is likely to remain a popular choice for backups because it is cheap, but recommended using a backup application that automatically encrypts files. He also advised companies to do regular checks to make sure they can actually read backups tapes. 

“If you encrypt backups before they go off-site, you need to ensure you can read them properly if you ever need to,” Shorten said. “You need a process for keeping the tapes secure, and for keeping the encryption keys to read them again, but separate from the tapes. A lot of this really is common sense.”

David Lacey, director of research for the professional group ISSA-UK, said moving unencrypted tapes are fraught with danger. “I recall one leading bank that moved offices, but forgot to inform its post room about the need to use a secure courier,” he said. “Encryption should be mandatory for all offline media. With modern solutions such as self-encrypting drives, there's no performance overhead. Enterprises should make it their New Year resolution to update their backup systems.”

O’Connor predicted Cattles Group is likely to receive a heavy punishment from the Financial Services Authority (FSA). In August 2010, the FSA fined Zurich Insurance £2.275M after a back-up tape containing unencrypted personal details on 46,000 policy holders went missing in transit.

Read more on Application security and coding requirements