Oct 26 2007
A common procedure at many companies is to send the backup tapes offsite, on the off chance that if the building burns down or something, the computers will be lost but the data can be restored to replacement hardware and business will pick up apace a day or two later. In the industry, this is referred to as 'disaster mitigation planning'. At smaller companies, either the tapes never get taken offsite (common) or one of the sysadmins takes the tapes home to put them into a safe or strongbox (a bit more common). Larger companies and organizations with more rules, regulations, and laws to follow often negotiate contracts with niche companies that specialize in taking backup media offsite and storing them in vaults, like Iron Mountain (which is practically a household word in the DC metroplex because they're famous for their four hour turnaround time on the bigger contracts).
However, even they're not perfect, though they had some 'help' from a customer or two who didn't encrypt their backup tapes...
Yep - the Louisiana Office of Student Financial Assistance contracted Iron Mountain to store their backup tapes offsite, but they didn't encrypt the data on the tapes, so whomever stole the tapes out of the back of the truck one of their retrieval teams was using (or, to be fair, lost the tapes in the warehouse (which is known to happen)) has gotten their hands on thousands of records containing names, addresses, Social Security numbers, and other personally identifying information (the acronym PII is coming into use as a result) of Louisiana residents. The driver of the truck didn't follow a documented procedure of some kind (they didn't say what, exactly, but I kind of think that it had to do with locking the back of the truck) and the container of tapes (helpfully and clearly labelled) went walkabout.