Jaime Chanaga, CISSP, CISA

Imagine driving down the intersection of Interstates 287 and 684 in Weschester County in New York and seeing a few computer backup data tapes falling from the back of a truck.  This happened when a contractor was using the truck to transport computer equipment between IBM (NYSE:IBM) offices.  Although the incident occurred in late February 2007, to this date, the missing computer tapes have not been recovered.

IBM has quietly offered a reward for the return of the missing computer backup data tapes through ads in a few local New York newspapers.  IBM has confirmed that the missing computer backup data tapes contain sensitive personal information including, names, addresses, dates of birth, social security numbers, and employment service dates for an unspecified number of current and mostly former IBM employees.  IBM is offering affected employees free credit monitoring services for one (1) year.

IBM is a leading company in the information security services industry.   However this incident demonstrates the fact that all organizations are at risk for security lapses.   IBM is a large sophisticated organization with a broad and deep understanding of information security but has publicly acknowledged that some of the missing computer backup data tapes may have not been encrypted to protect the data they contained.

Data encryption is a basic information security control which can protect data from accidental disclosure.  Perhaps other organizations can learn from IBM's actions in this case and implement basic information security protection measures such as data encryption to protect all computer data backups.

Computerworld - IBM contractor loses employee data in transit
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019518&intsrc=hm_list