TOPICS
TOPICS
'Erased' personal data on agency tapes can be retrieved, company says
Personal and sensitive government data -- including employees' personal data -- on magnetic tapes that federal agencies erase and later sell can be retrieved using simple technology, according to an investigation conducted by a storage tape manufacturer.
The findings contradict a report released by the Government Accountability Office last year that concluded such data was irretrievable.
From March through August 2007, GAO investigated if data could be retrieved from used magnetic tapes that federal agencies sell to commercial tape companies in the United States. Magnetic tapes are widely used by federal agencies, particularly for backing up data stored on large systems in the event of a disaster or system failure. The sample of tapes that GAO obtained came from such agencies as the Federal Reserve Bank, the Air Force and the National Oceanic and Atmospheric Administration.
According to its September 2007 report (GAO-07-1233R), GAO concluded it could not find "any comprehensible data on any of the tapes using standard commercially available equipment and data recovery techniques, specialized diagnostic equipment, custom programming or forensic analysis."
Selling used magnetic tapes is not illegal, GAO pointed out, and if agencies follow guidelines set by the National Institute of Standards and Technology for erasing all data, the risk of theft is low. "Based on the limited scope of work we performed, we conclude that the selling of used magnetic tapes by the government represents a low security risk, especially if government agencies comply with NIST guidelines in sanitizing their tapes," GAO concluded. "Even if some data were recoverable from some tape formats that had been overwritten to preserve their servo tracks, the data may not be complete or even decipherable."
But representatives from Imation, a magnetic data storage tape manufacturer in Oakdale, Minn., reviewed the used tapes examined by GAO. Using a tape drive, a standard personal computer and standard programming language, Imation reported being able to access bank account numbers, employee information, travel expense reports, audit procedures and results, employee savings plan balances and international tax benefits documents.
The results prompted Congress last week to ask GAO to reopen its investigation into agencies selling used magnetic tapes.
"If federal agencies are selling used magnetic storage tapes on the open market with this level of recoverable sensitive data available to anyone with minimum technical skills or equipment, we should all be alarmed and demanding greater accountability from federal agencies engaged in such sales," wrote Rep. Betty McCollum, D-Minn., in a letter to GAO in which she asked that the investigation be reopened. "The result of the work conducted by Imation clearly challenges the earlier GAO conclusion that used tapes represent a low security risk... The fact remains that substantial amounts of highly sensitive government and personal data of citizens may be circulating in the open market on 'recertified' used tapes."
McCollum has called for GAO to identify which federal agencies resell tapes and confirm that all sensitive information is properly erased. She also has asked GAO to find out the processes used to ensure that sensitive data is fully erased, the standards for certifying that tapes are erased and the systems in place to monitor the dispositions of tapes by agencies or contractors. She asked for recommendations on how to improve oversight of such dispositions.
GAO could not be reached for comment.
COMMENTS
- Ensuring that information is erased from magnetic tapes is well understood in the industry. It's referred to a bulk degaussing and it's a basic subject when discussing tape storage. Anyone who works with tapes in these agencies should know that and practice it. And if they don't they should consult with other agencies who have expertise. Why anyone would want a used tape except for the scrap value is beyond me - unless you're an identity thief. Tapes have a limited number of use cycles after which they become unreliable; which one would think is bad for accurate record keeping. I agree with Jim the scrap value to the government hardly holds a candle to the security risk. Agencies responsible should be held accountable to tighten up their practices and degauss or destroy the tapes like they'd shread anything else. But that's not all that needs to be done. It's hard to understand how the GAO could miss information so basic. This isn't a "limited scope"; it's simply an example of sloppy work and the GAO should answer for it for a change. Who audits them? Bill Posted January 28, 2008 7:34 AM
- The "limited scope of work" performed by the GAO needs to be investigated. If they had simply gone to the experts before tapes were ever sold in the first place, obtained a thorough analysis, and implemented a verifiable process for erasing, this would never have become an issue. This is just another example of taxpayers' dollars down the drain. Russ Posted January 25, 2008 11:37 AM
- I will be sorely upset when I find out that my financial information on a backup tape at the NFC was "wiped" and resold to a third party wholesaler for $5 a case. I mean, how much can be made from a used tape anyway? And it's probably more cost effective to destroy it rather than rehabilitate it and resell it, don't you think? A block of personal data from any federal agency could conceivably cripple or at the very least tremendously hinder an organization. And for what? How frugal is that? How about we post the financial records of each Congressional member on the internet and see how long contemplation takes to resolve that issue. This issue is no different than reselling hard drives. No one does that as far as I know. Rod Posted January 24, 2008 3:10 PM
