There are few known facts about the incident. “O2 Ireland's IT support partner, IBM, informed us that a tape used for routine daily IT back-up work had been misplaced in September 2011”, announced O2 on its website. But it doesn’t know what is on the tape, thinks it may be merely mislaid somewhere in-house, believes the risk to its 1.7 million customers is low even though the data was unencrypted, and has reported the incident to the Data Protection Commissioner.
But while there are few facts, there are many questions. One is the length of time involved. “I’m not sure I understand why they [were] first told this summer that a tape went missing in September 2011,” notes the DataBreaches.net blog. Brian Honan expands on this. He points out that under EU rules, in the “case of a personal data security breach affecting even one individual, providers of publicly available electronic communications networks or services must without undue delay” notify both the Data Protection Commissioner and every affected customer. O2 appears to have done the former but not the latter – and that still leaves the question of why it should take its IT partner, IBM, 9 months to report the loss.
Honan is also surprised that O2 doesn’t know what is on the tape. O2 claims the tape “contained a snapshot of data at a particular moment in time,” and that, “While it is possible that it could contain some personal data, it is more likely that it simply contained information about O2's normal business affairs and company information.”
‘Why?’ asks Honan. “Most backup systems have a logfile or record of what data was backed up. It seems strange to me that there is no record as to what data was, and was not, backed up onto the tape.”
O2 also suggests that any data would be difficult to extract from the tape. Even though unencrypted, it “was in a format which is not accessible to someone trying to access it and requires specialist technology to extract any readable information from it.” This doesn’t satisfy the experts. “Anyone with the same type of tape drive and software can restore the data,” says Honan. “If that data is not encrypted then anyone with that equipment can restore and read the data.”
Mark Bower, VP at Voltage Security, is also concerned. Unknown, unencrypted data is a risk. “Clearly,” he says, “the conclusion that has to be drawn here is that since the whereabouts of the tape is unknown and the data wasn’t protected, the customer data is at risk and there is a question of how telecom companies stand up against the legislation.” He suggests, “The risk to customer data here could have been easily mitigated with data-centric security by protecting the data at the source so that it stays protected over its lifecycle – including to backup tapes.”