This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://www.sqlservercentral.com/blogs/brian_kelley/2012/11/27/are-your-protecting-your-db-backups/ written by (author unknown). They get all the credit for this, not me.
Folks have cited the recent InformationWeek article on how South Carolina’s Department of Revenue was hacked because the SC state government basically said, “It’s the IRS’ fault for not telling us we should encrypt social security numbers.” I’m not going to touch that. It stands on its own for its foolishness. However, I did key in on how the hack happened and how the data was obtained. I found this bit to be particularly interesting:
“But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system — outside the state’s control — and deleted the zip files to help hide the data breach, according to Mandiant’s report.”
In other words, the attacker, once inside the trusted network, located the database backup files, zipped them up, and then copied them offsite. That’s how the data was lost. The database backups were attacked.
Additional reading can be found at the original author’s post.