We refer to the unlawful seizure of electronic information many things – a security breach, data theft, hacking – but for some reason we never refer to it as a heist.
This crossed my mind as I was reading an extremely suspenseful article by Joshua Davis in the most recent issue of Wired magazine called, “The Untold Story of the World’s Biggest Diamond Heist.” It’s not a tech story the way we would normally think of it, but it comes as close as anything I’ve read to a real-live action/adventure movie. (Which is probably why the film rights were recently optioned by J.J. Abrams of Alias fame.)
Davis scored an exclusive interview with Leonardo Notarbartolo, the mastermind behind the theft of millions of dollars in jewelry and cash from the largest vault of the Diamond District in Antwerp, Belgium.
“The vault was thought to be impenetrable,” Davis writes. “It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can't explain exactly how it was done.”
Well, Davis found out, for the most part, and apart from the occasional mini-camera here and circuit-switching there, it was a relatively low-tech affair, with a lot of social engineering and MacGuvyer-style ingenuity. To the point where I thought, if they could break into such a highly protected diamond vault this way, how hard would it be to do the same to the average corporate data centre?
Most of the data centres I’ve seen have their own high levels of security, whether it’s biometric fingerprint scans or perhaps code-key passwords. I’ve never come across anything as locked up as this vault in Antwerp was supposed to be, and this theft only took place about five years ago. There hasn’t been much invented recently that I can see protecting this vault, or a data centre, any better.
As exciting as a diamond heist story is, the value of a diamond can’t compare to what the right kind of thieves could do with the right kind of corporate data. A diamond, once you’ve sold it off on the black market, is gone. Data can be reused again and again to conduct transactions, lead to other information sources and even resold to a variety of sources.
The key difference, I guess, is that even if you break into a data centre you may not be able to get at the data if it’s properly encrypted. But not everything is that well encrypted. And with time and expertise, encryption isn’t foolproof.
Physical security isn’t normally considered a major IT issue, but it may become one if criminal minds ever decide it’s worth their while to go after a different kind of target. Diamonds? Yeah, they’re pretty. Big give me a shiny file of customer data any day.