[ISN] 'Erased' personel data on agency tapes can be retrieved, company says

From: InfoSec News (alerts@private)
Date: Wed Jan 23 2008 - 22:34:39 PST


http://www.govexec.com/dailyfed/0108/012308j2.htm

By Jill R. Aitoro  
Govexec.com  
January 23, 2008  

Personal and sensitive government data -- including employees' personal 
data -- on magnetic tapes that federal agencies erase and later sell can 
be retrieved using simple technology, according to an investigation 
conducted by a storage tape manufacturer.

The findings contradict a report released by the Government 
Accountability Office last year that concluded such data was 
irretrievable.

 From March through August 2007, GAO investigated if data could be 
retrieved from used magnetic tapes that federal agencies sell to 
commercial tape companies in the United States. Magnetic tapes are 
widely used by federal agencies, particularly for backing up data stored 
on large systems in the event of a disaster or system failure. The 
sample of tapes that GAO obtained came from such agencies as the Federal 
Reserve Bank, the Air Force and the National Oceanic and Atmospheric 
Administration.

According to its September 2007 report (GAO-07-1233R) [1], GAO concluded 
it could not find "any comprehensible data on any of the tapes using 
standard commercially available equipment and data recovery techniques, 
specialized diagnostic equipment, custom programming or forensic 
analysis."

Selling used magnetic tapes is not illegal, GAO pointed out, and if 
agencies follow guidelines set by the National Institute of Standards 
and Technology for erasing all data, the risk of theft is low. "Based on 
the limited scope of work we performed, we conclude that the selling of 
used magnetic tapes by the government represents a low security risk, 
especially if government agencies comply with NIST guidelines in 
sanitizing their tapes," GAO concluded. "Even if some data were 
recoverable from some tape formats that had been overwritten to preserve 
their servo tracks, the data may not be complete or even decipherable."

But representatives from Imation, a magnetic data storage tape 
manufacturer in Oakdale, Minn., reviewed the used tapes examined by GAO. 
Using a tape drive, a standard personal computer and standard 
programming language, Imation reported being able to access bank account 
numbers, employee information, travel expense reports, audit procedures 
and results, employee savings plan balances and international tax 
benefits documents.

The results prompted Congress last week to ask GAO to reopen its 
investigation into agencies selling used magnetic tapes.

"If federal agencies are selling used magnetic storage tapes on the open 
market with this level of recoverable sensitive data available to anyone 
with minimum technical skills or equipment, we should all be alarmed and 
demanding greater accountability from federal agencies engaged in such 
sales," wrote Rep. Betty McCollum, D-Minn., in a letter to GAO in which 
she asked that the investigation be reopened. "The result of the work 
conducted by Imation clearly challenges the earlier GAO conclusion that 
used tapes represent a low security risk... The fact remains that 
substantial amounts of highly sensitive government and personal data of 
citizens may be circulating in the open market on 'recertified' used 
tapes."

McCollum has called for GAO to identify which federal agencies resell 
tapes and confirm that all sensitive information is properly erased. She 
also has asked GAO to find out the processes used to ensure that 
sensitive data is fully erased, the standards for certifying that tapes 
are erased and the systems in place to monitor the dispositions of tapes 
by agencies or contractors. She asked for recommendations on how to 
improve oversight of such dispositions.

GAO could not be reached for comment.

[1] http://www.gao.gov/new.items/d071233r.pdf


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Jan 23 2008 - 22:52:41 PST