Disaster Recovery Disaster: Drill Gone Wrong Leads To Loss Of Data On 800K

Call it a disaster recovery drill disaster. The loss of four magnetic tape cartridges containing data on 800,000 California residents was the unfortunate result of an IBM-managed disaster recovery exercise gone wrong, said Christine Lally, Assistant Secretary, Legislation & Communications for the California Technology Agency. 

California recordsCall it a disaster recovery drill disaster. The loss of four magnetic tape cartridges containing data on 800,000 California residents was the unfortunate result of an IBM-managed disaster recovery exercise gone wrong, said Christine Lally, Assistant Secretary, Legislation & Communications for the California Technology Agency. 

The tapes contained information from the California Department of Child Support Services (DCCS) and relate to child support cases managed by the agency and include the names, addresses, Social Security Numbers, driver’s license or state identification numbers of state residents, as well as the individuals employer information, the names of health care providers and health insurance plan membership identification numbers, according to the DCCS statement.

Lally said the State discovered the breach in early March when it received and opened a shipment of magnetic backup tapes that were sent back to the State Office of Technology Services (OTECH) by IBM following the disaster recovery drill, only to realize four of 15 tapes sent to IBM were missing.

“IBM was sending the tapes back to OTECH headquarters, and on transit from Colorado to California the tapes went missing,” she told Threatpost.

The disclosure goes some way to explaining why the backup tapes were not encrypted before being sent to IBM. Lally said that OTECH and IBM concluded that was unnecessary because the tapes were being shipped as part of a closely managed disaster recovery drill. 

“When this disaster recovery exercise was planned between DCCS, OTECH and IBM< it was determined that the level of risk and the physical safeguards, as well as transit agreements didn’t warrant (encryption),” she said.  

The exact circumstances that led to the tapes being lost aren’t known. But Lally said that transit documents suggest that the four missing tapes made it into the shipping container that was sent from Colorado back to California, but subsequently disappeared. OTECH believes that the tapes may have fallen out of the container, possibly at the IBM facility, prior to shipment. Foul play does not appear to be involved, she said. 

“At this time, we don’t believe that there was malice involved. We think they were just lost,” Lally said.

Both IBM and IronMountain are continuing to search for the lost tapes. Lally declined to comment on what kind of tapes they were or what storage system the State used. 

DCCS is a state agency that enforces child support agreements and collects child support from non custodial parents to send to custodial parents to care for their children. The tapes contained partial or full information on 800,000 individuals who had interacted with DCCS, including custodial parents, non-custodial parents and children, Lally said. 

DCCS sent letters to all potentially affected customers on March 29 and has posted information on its Website: www.childsup.ca.gov. The agency has also set up a toll free number to help those affected. That is: 866 904-7674. 

Lally said OTECH was already investigating secure file transfer services that would replace physical backup tapes and overland shipping. “We were already looking to launch that by the end of the year,” Lally said. “I sure wish now that we had moved that deadline up a bit, but we’re definitely going to get up and running with that.” 

Suggested articles