Re-Certified LTO Tapes Poses
Serious Data Security Risks and Poor Performance
Those that sell their used tape stock and buyers of
re-certified media beware
Fujifilm announced results from a study that finds
re-certified tape media poses serious data security risks for those who sell
their used tape stock to re-certifiers and poor performance for buyers that
purchase from this market.
The joint analysis by Fujifilm and Ovation Data Services, Inc.
found that confidential data can be recovered through certain data recovery
methods and can expose a range of data, be it personal, corporate, financial or
healthcare records.
Organizations that sell their used tape media must understand
the inherent risk of having sensitive data out in the public or being
maliciously used by third parties and for buyers of re-certified tape, users are
very likely to experience unacceptable quality and performance issues.
About the study
Fujifilm confirmed the dangers of selling and buying used
media through a study conducted with OvationData, provider of data recovery,
migration and data tape services with HQs in Houston, TX.
Fujifilm randomly acquired a total of 50
re-certified LTO data tapes of various brands from five re-certified tape
resellers, and submitted them to OvationData for analysis. It found that
48 out of 50 tapes still contained usable
information, even though some
reinitializing was performed on the beginning of the tape to make it appear that
any prior data was deleted. Additional analysis on a sub-set of these tapes did
in fact reveal the existence of highly confidential customer data.
It is astonishing to find that the LTO tapes were only quickly
initialized, and not completely overwritten or properly erased. We determined
that no physical form of certification appears to have been performed on the
tapes other than writing of a single end-of-data marker at the beginning of
tape, this means that there was no writing or reading of test data to or from
the tapes to check for potential errors or physical tape damage and that the
existing data was not fully erased.
To effectively and securely erase data on an LTO format tape
(or other tape utilizing a magnetic servo) requires a complete overwrite of the
entire length and all tracks of the tape. This process takes several hours and
would not prove to be economically feasible for the re-certifier. Otherwise,
simply initializing with a new end-of-data marker can be overcome with the
appropriate data recovery techniques.
The study also highlights the fact that there are no industry
standards for re-certifying used media despite claims by re-certifiers, so the
quality and reliability of used media is questionable. Furthermore, the past
handling and storage history of used media can never be ascertained, potentially
exposing future users to risks.
In addition to the 48 used tapes
containing user data, a number had significant quality issues.
16 tapes had unacceptably high read, write, and servo error
rates, likely due to excessive wear and
edge damage from mishandling or misaligned tape drives. Additionally,
one third of the tapes had manufacturing dates
prior to June of 2006 according to
OvationData, raising concerns about the tape's environmental exposure history.
Protecting your business
Re-certified data tapes pose a data security concern for
organizations because sensitive data can be accessible after resale. Any data
retention policy that causes a company to fall out of regulatory compliance can
result in severe penalties that can include fines or criminal charges.
Fujifilm recommends that organizations review their
media management policies *from purchase to end-of-life and make sure to:
- Enact policies that ensure control of data before, during
and after it leaves your organization;
- Prohibit the selling of used media to protect against
potential breach of confidentiality or violation of government regulations;
- Develop guidelines for confirming appropriate data
deletion and destruction of retired media;
- Specify 'new, factory fresh' media when purchasing new
media through a reseller. This will ensure that the media you receive is not
merely initialized or repackaged to appear as new.
Counterfeit tapes
Data media buyers also need to be aware of resellers that
are repackaging used tape and selling them as new in counterfeited manufacturer
packaging. These counterfeit products are sold to unsuspecting customers,
usually via discount websites. Fujifilm is working with several customers who
found that they had purchased used tape sold as new - and taking action against
resellers engaged in this business.