How big is a problem of theft in the data center?

I have been having a variety of discussions with people who have insight into how bad a problem inventory shrinkage is in the data center.  Inventory shrinkage is a term used in retail to explain inventory that disappears, hence “shrinks.”  Given retails thin margins shrinkage is a big deal.

Security and Crime News

Return to news menu

Retail Theft and Inventory Shrinkage

2002 Retail Security Survey Shows U.S. Retailers Losing $31 Billion to Theft 

Inventory shrinkage, a combination of employee theft, shoplifting, vendor fraud and administrative error, cost United States retailers over $31 billion last year according to the latest National Retail Security Survey report on retail theft, which analyzed theft incidents from 118 of the largest U.S. retail chains.

According to University of Florida criminologist Richard C. Hollinger, Ph.D., who directs the National Retail Security Survey, retailers lost 1.7 percent of their total annual sales to inventory shrinkage last year. The surveyed portion of the retail economy transacts over $1.845 trillion dollars annually, making the loss worth over $31.3 billion. Total inventory shrinkage was down slightly from $32.3 billion in 2000.

Data Centers tend to feel secure because they think their security systems eliminate theft.

Where Inventory Shrinkage Happens

Source of Inventory Shrinkage % of Loss* $ Lost
Employee Theft 48.5% $15.1 billion
Shoplifting 31.7% $9.7 billion
Administrative Error 15.3% $4.8 billion
Vendor Fraud 5.4% $1.7 billion
Total Inventory Shrinkage $31.3 billion

But, even if you eliminate all theft, 20% of inventory shrinkage comes from administrative error and vendor fraud.

To give you an idea of data center theft, Seagate has a paper on stolen drives and servers.

Stolen Drives and Servers Don’t Think it Can’t Happen in Your Data Center  September 2007

Executive Summary

Almost every organization is well aware of the risk to confidential data stored on mobile devices such as notebook PCs that can be lost or stolen.  But few organizations realize that drives or even entire servers are vulnerable to theft, loss, or maintenance mix-ups despite the “protection” of residing in the organization data center.  Of course, that means that the confidential data stored on those devices is subject to unauthorized use by the growing army of cyber criminals.  Because data centers contain the most concentrated data in the organization, such thefts can be catastrophic in terms of financial, regulatory and legal consequences.  Even small incidents can necessitate high costs of remediation because when such thefts occur it is extremely difficult to determine what was compromised, so the “worst case” scenario must be assumed.

The paper goes on to point out the risk in data centers.

Servers can be at risk even inside large, well-managed facilities Despite standard physical security measures employed at data centers, there are still many opportunities for insiders or skilled thieves to steal important servers and drives, even during normal hours of operation.”  For example, when systems are being expanded or modified, there are frequently large numbers of contractor technicians who carry equipment in and out and have the opportunity to remove drives or servers with few questions asked.

How bad of a problem do you have?  When asking companies who handle decommissioning of equipment it is common for them to find between 20 - 40% of the servers are not what users think they are.  What types of problems?  Missing RAM, HD, and processors.  Incorrect replacement parts - power supplies, cables.  How many of your inspect warranty service?