Wednesday, January 13, 2016

Backblaze Mails Unencrypted Hard Drives

Tamara Burns (via Hacker News):

Plaintiff Scott Hellervik takes issue with Backblaze’s procedures for returning a large amount of information back to the user via an external recovery drive. When customers order an external storage drive, Backblaze then unencrypts the data that is loaded onto the drive, and ships it to the customer without added protection, according to Hellervik.

Additionally, when shipping hard drives, the physical packaging contained very concerning private information, the class action lawsuit alleges. According to a label displayed in the court documents, Backblaze has its full name and address, drawing attention to its status as a well-known data backup and recovery company, and includes the recipient’s name and address, of course, but also includes the customer’s phone number and personal email address. “USB Restore” is listed under the department number on the label, exposing the contents within.

According to the Backblaze class action lawsuit, “Sending highly sensitive unencrypted personal information through the mail is reckless. By failing to encrypt customers’ personal information before mailing it (and, in fact, actively unencrypting it), Backblaze allows nefarious parties to target these packages (given the sensitive information disclosed on the shipping labels), intercept them before reaching the intended customers, and access their sensitive personal information.”

CrashPlan used to mail restoration hard drives using its own encrypted format. However, on January 4 it discontinued the Restore-to-Door service. Its seeding service to speed initial backups was discontinued in late 2015. So I don’t know of any Mac backup services that get this right.

Update (2016-01-13): Gleb Budman:

we actually offer encrypted restore drives at no extra cost.

2 Comments RSS · Twitter

It cannot be done write because it would no longer be zero-knowledge …

Another annoying thing Backblaze does is delete any data it hasn't seen after 30 days.

This means that if you back up data from on an external drive, and are unable to plug it in for 30 days, Backblaze will _delete_ all data stored on the external. Their stated workaround is "don't leave a drive unplugged for more than 30 days."

As someone who travels a lot - often with oceans between me and my externals - I find this completely unacceptable.

Leave a Comment