Tape media has long been used for storing data for long-term retention, as an alternate copy, a backup or an archive. It is a well trusted medium and can deliver good results at relatively low cost. However, without the use of encryption, losing a tape could put an organisation in the unfortunate position of a serious data breach. The Commonwealth Bank of Australia (CBA) have found themselves in this unfortunate position.
The breach, what happened?
Joining a growing list of large organisations across the globe owning up to serious data breaches, the Commonwealth bank has admitted that several years ago, in 2016, 2 magnetic tapes were lost. While 2 tapes may not sound a lot, the tapes held 15 years’ worth of sensitive personal data including customers names, addresses and account numbers. The total number of customers affected is thought to be just shy of 20 million.
The tapes had been entrusted to third party contractors to securely destroy but due to a lack of a paper trail or proof, the bank ended up with no way to fully understand if the data had been destroyed or what had happened to it. The “tapes did not contain passwords, PINs or other data which could be used to enable account fraud”.
An independent forensic review by KPMG determined that the tapes had likely been ‘disposed of’ however with no guarantees there should still be cause for concern.
CBA will be well aware of the consequences of non-compliance with regulations, having been accused of breaking federal laws related to anti-money laundering protocols. The announcement of this breach is likely to prompt an investigation and could lead to further sanctions being made or fines given by the Office of the Australian Information Commissioner (OAIC).
The consequences of data breaches have been well documented in recent months, especially in Europe where the General Data Protection Regulation is just weeks from coming into effect. While there are several high-profile changes coming into effect with the GDPR, one of the most publicised is the ability for the relevant supervisory authorities to be able to give fines of up to €20 million or 4% of global turnover for the most serious breaches.
The Information Commissioner’s Office (ICO) in the UK has never given the current maximum fine of £500,000 under the Data Protection Act.
Data management, don’t bank on it
The Commonwealth Bank isn’t the only banking institution currently under fire for IT practices. British banking chain TSB, has been making negative headlines for almost 2 weeks as an IT outage has left services inaccessible and customers outraged. Following an attempted data migration from ex-parent company Lloyds’ IT systems, many of TSBs online services were left offline and customers were unable to access their accounts; the issue is thought to have affected around 1.9 million people.
TSB have waived fees accrued during the outages in an attempt to stop customers from leaving, but with many going on two weeks with no access to their accounts it may be too little too late, it will also be costly for the bank.
Securing data, is cloud the answer?
In the cases of both banks having serious IT issues, plans had been made to stop issues occurring. TSB have stated that the migration was securely tested prior to going live, yet data was still lost or damaged and systems have been offline for two weeks. In CBA’s case contractors were trusted with the security of the tapes but a lack of oversight lead to the data going missing. Storing 15 years’ worth of data on tape may have been a cost-effective archive but by simply misplacing the tapes, 20 million people’s data was put at risk. A cloud archiving solution not only ensures that data is securely encrypted and held in a secure data centre but on deletion data is securely removed and can be reported on; data deletion could even be policy driven to reduce the need for manual intervention further. In addition, having a full copy of data in cloud storage can allow for a simple migration from systems and in the case where a cloud backup is in place, data can simply be restored to a new location, effectively acting as a migration of the data.