Quis custodiet ipsos custodes?
Or, in this case, who protects you from the person who protects your data? According to a recent study by the Ponemon Institute, Trends in Security of Data Recovery Operations, the very third-party data recovery services that can help you get your data back might be helping themselves to your data, too.
We surveyed 769 IT security and IT support practitioners who are involved in their organization’s data security or data recovery operations. According to the findings, 85 percent of these respondents report their organizations have used or will continue to use a third-party data recovery service provider to recover lost data. This is an increase from 79 percent in the previous study. We also learned that organizations are frequently using a third party when a device crashes. In fact, 37 percent use multiple third parties and 39 percent say they use third parties at least once each week or more. However, the vetting of these data recovery service providers is considered fair by 30 percent of respondents and 9 percent say it is poor.”
This sort of problem isn’t new, and isn’t limited to corporations, but the problem is getting worse, Ponemon says:
A large percentage of respondents in this study report their organization has had at least one data breach (87 percent) in the past two years. (This is consistent with other Ponemon Institute studies about the prevalence of data breaches). Of the 87 percent who say their organization had a data breach, 21 percent say the breach occurred when a drive was in the possession of a third-party data recovery service provider. This is an increase from 19 percent in the previous study. In many cases, respondents point to the data recovery service provider’s lack of security that led to the data breach.”
Note, too, that this doesn’t mean the third-party data recovery service itself hires crooks, but that the security at the service itself might be lacking and serve as an enticing honeypot for criminal hackers. For example, in May 2011, Co-operative Life Planning’s funeral planning division discovered that the personal data of 83,000 customers was leaked after a data recovery firm was called in after a hard disk failure. Although the work was successful, the data was retained on the servers of the data recovery company, and their servers were then hacked into. (But no doubt it’s the owner of the data, not the recovery company, that has to deal with notifying the users involved.)
So, what to do? The Ponemon report offers some suggestions on how to pick a reputable firm, and DriveSavers offers a (somewhat dated, 2009) white paper with similar suggestions.
The important thing, Ponemon says, is that organizations need to consider security as a primary factor in selecting such companies. Notes the study:
The majority of respondents in our study either report to the Chief Information Officer or Chief Information Security Officer. Fifty-nine percent are at or above the supervisory level. These individuals believe that their organizations are making decisions about who will handle the data recovery process based on the speed of service, successful rate of recovery and overall quality of service rather than data security. As a result, only 28 percent see data security as a main criterion for determining the adequacy of third-party data recovery service providers.”