Things don't go "missing". Things get "taken and not returned because they have value". So the question stands, who will be the highest bidder...

There should be a law against any business or agency physically shipping or otherwise transmitting sensitive customer information on more than 10 customers as part of a single activity without strong cryptography protecting the entirety of the customer information, and with cryptographic keys being exchanged by such means that acquisition of the encrypted information does not also provide an attacker the means to decrypt it. Passwords used in conjunction with the strong cryptography would have to meet certain defined standards. Penalties should be tripled if this law is broken and the information includes any of the following: bank account, debit, credit, or social security numbers, medical records, biometric data, or other essential information generally used to authenticate the identity of an individual.

This would make all of the following illegal, and very costly:

* Having thousands of veterans benefits data stolen from a copy left in a car (US)
* Burning thousands of records to CD and popping it in the mail (recent UK scandal)
* Losing an unprotected backup tape (case in point)
* Using weak password schemes (e.g. an xls sheet password)
* Transmitting data over an unprotected Internet connection

Heck, if these companies bothered to apply suitable cryptographic practices (including managing key exchange appropriately), none of us would even have to be concerned when tapes like these go missing.

Free credit monitoring always seems to be the "get out of jail free" card for these guys. That's nice, except when you actually become the victim of identity theft and it ruins your life for years.

Wonder if thats why GE Money hass been trying to contact my brother since December. He's ignoring them because he's late on a payment. Wonder how many others are ignoring GE MOney's contacts. Not just in the possibility of a stolen tape, but what does data loss on a consumers data really mean? How would it affect the consumer. I can't imagine GE Money lost what transactions were made.

"GE has agreed to pay for a year's worth of free credit monitoring for those affected."

Why not 5 or 10 years of "free" credit monitoring ?

More to the point, what are GE going to do for you when the free credit monitoring says "hey, you may be the victim of identify theft!". Identity theft is not only about credit cards, either.

Additionally, why should *anyone* trust the agency paid by GE to perform this credit monitoring, when it's hardly in GE's interests for people to become aware that fraudulent behavior is happening?

It makes no sense.

I never understood why large companies use these guys. What is wrong with backing up over wan at night to other locations?

And then doing tape backups there if you like. Involving a third party is asking for trouble!

Because no matter how good the encryption there is always an employee who can get a copy of the encryption keys. It's much easier to physically secure data then it is electronically and it's safer. Of course the best approach is to do both.

I dispute your claim.

Virtually every time we hear of a mass data loss it's because someone lost the data on physical medium.

If you can't protect an encryption key from theft by an employee then you don't deserve to be holding sensitive data on thousands of individuals - how the hell do you protect that data if you can't protect an encryption key?

Completely unacceptable.

They are PAID TO NOT MAKE MISTAKES. That's WHAT THEY DO TO EARN THEIR MONEY.

How many other "occasional mistakes" have they made?????

Iron Mountain, although it said it regretting misplacing the tape. "We occasionally make mistakes,"

-----

Did they basically just say "oops" ?!?!

"Did they basically just say "oops" ?!?!"

I think it was more like, Doh!!! LOL