The trade press is filled with stories about companies getting into big regulatory trouble over lost backup tapes . The tricky part is that usually, one reason companies use backup tapes is the ability to archive backup tapes offsite for extended periods of time. Terabytes by Terabytes, rotating cheap SATA disks usually is cheaper and faster, but hard drives dont have the offline persistence of backup tapes.
But with offsite storage comes loss of physical control. You hire a reputable, but not too expensive, records company to pickup the tapes, and store them at what you hope to be a secure facility. So I was a bit surprised to find a drum full of backup tapes dumped into an alley close to my house. The drum was filled with LTO data tapes commonly used in backups. The tapes looked in good shape, but a bit wet due to being exposed to rain. I dont have a sacrificial reader to try them out (given that they are wet, I dont want to put them in a good reader that is still in use). There are no markings showing the owner of the tapes either on the drum or the tapes themselves, but a couple have pencil markings (like a letter and a number) indicating that they may be used.
At this point I can only speculate what the tapes contain. There are a number of hospitals in the immediate area (couple miles), and I have found medical supplies and lost/discarded patients before. But so far no records. The same pile of trash also includes a similar drum with an address label, and I have yet to be able to contact that company.
So do you audit whoever stores, and discards, your tapes? Would it make sense to identify the owner in case they are found? Or is this just increasing the risk? Do you encrypt backup tapes before sending them offsite?
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.