FedEx: When Your Data Absolutely, Positively Has To Be Lost Overnight

On Thursday (March 29), California reported that FedEx—with an important assist with IBM and Iron Mountain—had lost highly sensitive data from more than 800,000 people in its child support database. Although it's a very bad situation, it's a good case study of the "secure the weakest link" approach, where a small hole in Iron Mountain's distribution network sent the four disks through an insecure shipment service (the question remains of whose idea it was to use FedEx). This is a fate that potentially awaits any retail IT shop, because backup disks ultimately have to be transported somewhere.

Almost as unsettling was a rather reckless statement from the department's director, where she offered unwarranted confidence in the impregnable nature of disk formatting. "Because the devices are in a specialized format, we have no reason to believe, at this time, that the data has been accessed or utilized in any way," said Kathleen Hrepich, the interim director of the California Department of Child Support Services. Presumably, "at this time" means "until I actually talk with someone in IT security."

The cartridges require special hardware and software to properly read the data, a department official said. True, but that software and hardware exists and patient cyberthieves are quite good at getting around such obstacles.

Is there much of an incentive for the thieves to try? The state—which waited 17 days after the March 12 incident to announce it—said the data about those more than 800,000 consumers (children, too, whose identifications are always in high demand; there is often little to no activity on their IDs yet, making fraud easier) included names, addresses, Social Security numbers, driver's license numbers, names of health insurance providers and employers.

Of course, the greatest security defense here is that the thieves have to find the disks before FedEx does, which gives the bad guys a fighting chance.

Here's what apparently happened. The cartridges had been sent to IBM's facility in Boulder. Colo., as part of a disaster simulation, so the technology company could test whether it could run California's child support system remotely. The disks were then scheduled to go back to an Iron Mountain facility in California.

The details about that trip get a little murky. Christine Lally, a spokeswoman for the state's Office of Technology Services, said FedEx was used to move the disks because of a hole in Iron Mountain's distribution system (the state said Iron Mountain doesn't fly disks) and that FedEx was an Iron Mountain subcontractor. Hence, FedEx was brought in because Iron Mountain couldn't fly.Iron Mountain, however, issued a statement saying, "these storage devices were being sent to us via third-party shipping company, as per the state agency's defined disaster recovery protocol." So Iron Mountain is saying that California insisted on FedEx, not Iron Mountain. California's Lally said using FedEx "was not our directive," adding, "the state was agreeable to using FedEx."

As for how the disks got lost, Lally said the fault for that is shared by IBM, whose people did not properly secure the containers, which enabled four disks to fall out of the container. "We believe that the containers were not properly secured at the IBM facility," she said.

Regardless of who brought in FedEx and who packaged the crate, who was making sure that quality control was maintained? Did California, IBM or Iron Mountain make special arrangements with FedEx to handle sensitive data or was this thrown in a truck along with 50 fruit baskets?

A bit late to the party, California has apparently learned that shipping sensitive disks in 2012 is perhaps not the most secure—or cost-effective—way to move data. "The California Office of Technology Services (oTech) is working with their contractors to strengthen their information security practices. oTech is also in the process of establishing new systems and processes that will eliminate the need for shipping storage devices in the future," said a California statement.

Lally clarified that the new system—which will electronically transfer the data to offsite locations—is very near term. "We anticipate that this service will be up and running by the end of this year," she said.

To be fair, this all likely seemed entirely reasonable at the time to all of the players. If it went well, FedEx is likely the cheapest and fastest alternative. But sensitive data transports need to be handled with extra care.

Maybe California will run into some luck finding the cartridges. In a terrible irony, the most recent news release from Iron Mountain—dated March 6, six days before the California incident—is a new service "aimed at helping customers to find and retrieve files stored on magnetic tape cartridges." That's convenient. It can start by finding these cartridges, which Iron Mountain—with help from IBM and FedEx—lost.