Many of us use Internet services – Dropbox for file sharing, Google for collaboration, Mint for finances and many others. Some of us – individuals and businesses – have data spread far and wide over the web. So wide that in many cases we really don’t know where our data lives or how it is protected.
This week many people learned the hard way that that doesn’t always turn out the way you want it to.
Email provider VFEmail announced that they had a catastrophic event that wiped out all of their user’s emails and all of their backups. The first signs of the attack came on February 11th.
The founder of VFEmail says that 18 years of customer data are likely gone and will never be recovered.
Some emails that were stored on a backup in the Netherlands may be recoverable, but how many and when – that is unknown. Most of the user’s info was stored in the U.S. and that, they say, is all history.
VFEmail had multiple servers in multiple data centers with multiple authentication methods and they were all wiped by an attacker.
At this time they have not provided any reason for the attack, but clearly the attacker wanted to do some real damage.
But this is a word of warning to any person or business who assumes that their service provider is going to protect them.
Number 1 – Read your contract. Does it say that your provider provides any guarantee regarding your data? It would be very unusual if any of your providers offer any guarantees at all.
Number 2 – Find out what measures each of your providers takes to protect your data.
Number 3 – How much trouble would you be in if you lost ALL of your data from one or more of these providers? For example, all of your email. Forever. Or all of your pictures. Or all of your finances.
Number 4 – For those services which your data is important – for which losing some or all of the data would be a “problem”, create an alternate backup. Or two.
The bottom line is that ultimately, you or your company are responsible for your data. Unless you have a written agreement with your provider that says that they are legally liable, which is almost unheard of. Even then, that is only as good as the damages available. Many times in contracts your claim is limited to the amount of money you paid. Pay a $100 a month for a year and the most you can collect is $1,200. Does that cover the loss of your data?
You, and only you, need to figure out what is required to protect your data.
Our recommendation is at least one set of offline, disconnected backups. After all, it is hard to hack a backup that is powered down and stored in a safe or a vault.
Also remember, backups are not like fine wine – they don’t age well. Backup early, backup often.
Information for this post came from Brian Krebs.