SmartPay® is a General Service Administration program to provide charge cards to government employees and contractors. Bank of America is one of five financial institutions responsible for these accounts, and the missing backup tapes contained customer and account information for 1.2 million government employees, including senators Patrick Leahy and Elizabeth Dole.
If verifying tape backups is rare, encrypting them is even rarer. I don’t normally encrypt my backups, and neither do most people I know.
On the other hand, I keep my Quicken data, my passwords, and any proprietary or financial information about my clients in encrypted files. Doubtless any really professional hacker could still break into them, just as such a person could figure out my Windows Logon password easily enough. But it’s enough to keep casual burglars and curious visitors out of my files.
And if I can do that much, you’d think a bank would realize it needed to encrypt its backup tapes. Banks are, after all, the most obvious targets for large-scale data theft. Bank accounts belonging to the government are, if possible, even more tempting targets. (After all, whose card would you expect to be able to charge more to, mine or Uncle Sam’s?)
I personally find the fact that it was those particular tapes which were stolen highly suspicious, and the disappearance raises a great many questions about other aspects of the transport and security of Bank of America’s backup tapes. Do they send them in armored cars with guards? If not, why not? Pound for pound, the information on those tapes is worth more than cash. If so, then how did the tapes get mislaid? Was this an inside job? Do I need to take my money out of Bank of America? (But if I do, would it actually be any safer elsewhere?)
One hopes that this incident, and certain other recent highly-publicized cases of data theft, will cause financial institutions and other corporations to re-evaluate their backup policies. Continuity Central has some suggestions, including using RFID tags, bar codes, or even GPS locators on the tapes for better tracking, encrypting the tapes, and not using tapes at all. All of those sound like good suggestions to me.
Small and home office users probably don’t need to go as far as bar codes, RFID, or GPS, but I strongly advise you to password-protect not just the backups of any sensitive information you have, but the files themselves. Outlook PST files, ACT! databases, and Quicken and QuickBooks account files can all be password-protected. And your passwords themselves should be password-protected. (There are several freeware products for this, and others which will generate random passwords with as many characters as you want.) If you have lots of sensitive data or many people have access to your office, you definitely need a logon password, and might want to consider a LockBox drive for your backups.
And you might just want to ask your bank what it’s doing to keep your account information secure.