A driver for Iron Mountain Inc. lost backup tapes containing data on thousands of college students and their parents, resulting in another loss of data for the offsite storage company, which has been involved in high-profile security breaches in recent years.
The tapes belonged to the Louisiana Office of Student Financial Assistance. According to a statement of notification on LOSFA's Web site, the security breach could affect many people:
- anyone who has a Louisiana College Savings account,
- any resident of the state of Louisiana who has completed a Free Application for Federal Student Aid (FAFSA),
- anyone who has completed a FAFSA and included a Louisiana postsecondary institution as an institution to which FAFSA data should be sent,
- anyone who has applied for or received a Tuition Opportunity Program for Students (TOPS) Scholarship, and
- anyone who has applied for or who has received student financial aid in the state of Louisiana.
However, exact numbers of potential victims are not known.
The driver reportedly lost a container full of backup tapes containing data for every Louisiana application for federal student aid from 1998 through Sept. 13, 2007, while it was being moved from Iron Mountain's Port Allen, La., facility to Baton Rouge, La. The lost tapes contained a decade's worth of bank account data and Social Security numbers for almost all Louisiana college applicants and their parents.
LOSFA is offering those affected access to a secure Web portal to determine if their data is among the missing. "LOSFA has no reason to believe that the information has been accessed or that it has been misused in any way. However, you are entitled to be informed of the risks associated with the loss of this media and of the steps that you can take to protect yourself," the agency wrote in its notification statement.
In a statement issued today, Iron Mountain said, "This incident was the result of an employee error. Our driver did not follow established company procedures when loading the container onto his vehicle, leading to the loss."
Iron Mountain's InControl program fails
In August, Iron Mountain began a new chain-of-custody program called InControl, which added onboard computers to the majority of its North American truck fleet. An Iron Mountain spokesperson said in an email to SearchStorage.com Thursday that the truck in question had been retrofitted with the InControl equipment. But the spokesperson noted, "While the InControl technology significantly reduces the possibility of employee mistakes, and we continue to improve on our 99.999% of reliability, no amount of technology investment can completely eradicate human error. Iron Mountain sincerely regrets our role in this unfortunate mishap."
The driver in question has been fired, the spokesperson added.
Meanwhile, companies in highly security-sensitive industries are beginning to seek alternatives to Iron Mountain, not only because of repeated data breaches and reported losses, but because it's the most high-profile offsite storage company and therefore a larger target both for negative publicity and attacks.
"Iron Mountain was not only losing our backup tapes, but I actually was receiving tapes belonging to other companies."
Data center manager requesting anonymity,
One data center manager for a major financial institution, who requested that neither he or his company be named, said that his company moved the bulk of its offsite data out of Iron Mountain vaults years ago. He also said he's currently working with a network of small records management companies known as the Secure Media Vaulting Association (SMVA) to replace Iron Mountain services at newly acquired subsidiaries.
"Iron Mountain was not only losing our backup tapes, but I actually was receiving tapes belonging to other companies," the manager said. "In our industry we're one mistake like that away from winding up on the front page of the Wall Street Journal."
Alternatives to Iron Mountain sought by some
SMVA's claim to fame is not only that it is not Iron Mountain, but also that each member of the consortium uses modular fireproof vaults made by Firelock Inc., which are designed to avoid incidents like the fires at Iron Mountain facilities in London and Ottawa last year that destroyed hundreds of customers' paper records. "The network has helped me find alternatives to Iron Mountain in many other cities," the data center manager said.
According to W. Curtis Preston, vice president of data protection services at GlassHouse Technologies Inc., Iron Mountain receives the most intense scrutiny because it ships the most backup tapes. "But users aren't necessarily going to avoid these problems just by moving to another company that also uses humans," he said.
Preston urged users to encrypt backups in all circumstances. "Anyone who is sending out unencrypted backup tapes at this point is not doing their job," he said. "It's only a matter of who will be next [to lose data], not if. There are companies still ignoring this problem, and those companies should wake up."