The loss of unencrypted storage media from an Iron Mountain vehicle last month renewed calls for IT managers to better protect data stored off-site.
The Louisiana Office of Student Financial Assistance (LOFSA) says the unencrypted data lost from the vehicle of its contractor in September includes the names, birth dates and Social Security numbers of thousands of state residents.
The state agency administers several state scholarship programmes as well as the state's College Savings Plan.
Sue Boutte, assistant executive director and chief operating officer of the agency, declines to say whether the unencrypted data was stored on tape or disk drives. However, she concedes, "If you trust your data to a courier, then obviously something like this can happen."
According to Boutte, the incident occurred while the agency was working on a plan to encrypt all backup data stored off site.
"LOFSA was in the process of developing our disaster and recovery plan, but [the loss] occurred before we could get it in place and establish it as a standard plan," she says.
In a statement, Boston-based Iron Mountain blamed the theft on "a driver [who] did not follow established company procedures when loading the container onto his vehicle." The statement also noted that the company "encourages" its customers to encrypt backup data.
In a recent interview, Iron Mountain CEO Richard Reese said his firm is working hard to eliminate human error by its employees. For example, the company announced this summer that it is retrofitting its fleet of trucks with a new self-designed security and tracking system.
A similar incident two years ago prompted TD Ameritrade to encrypt all of its backup data, says a spokesman for the Nebraska-based financial services firm.
The backup tapes, later recovered, fell off an Iron Mountain conveyor belt and became lost in a shipping facility. Those tapes contained personal data on 200,000 Ameritrade clients.
At the time "we re-evaluated our [backup] processes and procedures, and from that point forward, we encrypted [all data] and have taken that extra level of protection," the spokesman says.
Brian Babineau, an analyst at Massachusetts-based Enterprise Strategy Group, says that IT managers who don't encrypt data are "not doing their jobs. Organisations need to understand that encryption is a necessity and not a luxury anymore.
"This would be the equivalent of not locking your luggage when you travel overseas or leaving your wallet exposed in your back pocket," he says.