Is your data safe with cheap “prosumer” backup services?

I read a blog post yesterday written by Chris Colotti that described a scenario that sounds horrible:  a backup service deleting a customer’s data with little to no notice.

A few disclaimers: Chris makes it perfectly clear he is speaking on behalf of himself & his wife’s business – not his employer, Cohesity. Cohesity and Spanning (the company who deleted his data) are competitors (in certain markets) of my employer, Druva.  Druva does not compete with Spanning in the “prosumer” space.

The following is a summary of what Chris described in his blog post:

He was using Spanning to back up his personal data and the data from his wife’s small business.  Unbeknownst to him, he crossed over into what Spanning referred to as “excessive usage.” According to their EULA, “it is Excessive Use if at any time the cost of Licensee’s Users’ storage consumption far exceeds the Fees for the Services as calculated by Spanning.”

He didn’t see the single email they sent him in October about this problem, mainly because it looked like all the user messages he got from them about backup success, etc. There was no scary subject line or anything else to make it stand out.  So he never saw it. In November they cancelled his account and deleted (“reaped” was the word they used) 36TB of his backups with no additional notification other than that one email.  This is despite him renewing his contract in between the notice (that he didn’t see) and when the data was deleted.  He didn’t even realize this had happened until he went to try to use the service to restore something – in February.  That’s when he found out his account had been cancelled in November.

A few observations

There aren’t any limits, but there is a limit.  The limit is when we deem you are no longer profitable to us.  You, of course, won’t have any idea what that limit is, but we reserve the right to delete your data when that happens.  That’s the weirdest limit I’ve ever heard of. Completely arbitrary and not trackable by the customer.

One email before complete deletion?  With no scary subject line?  Really? I would think that if you were going to fire a customer for being non-profitable, you would send them many, many emails – even a phone call or two – before you decide to deactivate their account and delete their data. There wasn’t even an email that says “Account deactivated/Deleted/Reaped/whatever? ” I think if he had found out when this actually happened in November, he might have been able to get his data back.  But he didn’t actually find out until February. As Chris mentions in his post, have you ever had a GoDaddy domain and see what happens if it’s about to expire?  Man, do they email you.

They took his renewal money after he was put in the penalty box, and still said nothing.  To me, that’s the worst part of the story.  It reminds me of something that happened to me years ago, but more on that later.

Even though this isn’t the point of the post, I will say that my employer, Druva, offers both per-user pricing and per-GB pricing.  Any capacity limits on a per-user account are clearly spelled out in the contract.  A customer that goes over those limits would receive far more notification than a single email, which would include phone calls, etc.  Our long-term hope would be that we would rectify the situation and keep them as a customer.  The idea of simply deleting a customer’s backup data after a single email – regardless how egregious the violation – is simply unconscionable.

Spanning still advertises services at $4/mth for “unlimited storage of all your G-Suite data.” It then again says “Unlimited storage” and “Unlimited versions.”  There is no asterisk w/a disclaimer.  Clearly it is not unlimited, but they say it is.  It sure looks like false advertising to me.

Are cheap prosumer backup services safe?

Most of the services like this that I’ve tried are gone.  Mozy, Carbonite, & Crashplan have all abandoned their cheap offerings like this, sometimes with as little notice as Chris got. Ten years ago Mozy significantly hiked their pricing to make their service unattractive to data-hungry guys like Chris.  And they gave you 30 days to get out.  I gave them a ration for that back in the day.  It was the same kind of nonsense that happened to Chris.  30 days is simply not enough time to move any significant amount of data to a new service over consumer-grade Internet.

I also remember when Mozy didn’t run for an entire year on my laptop, while they continued to charge my CC.  No error messages, no nothing.  Just bills. How much customer service do you think you’re going to get for $4/mth?  Talk bout a small fish in a small pond.

ibackup is still around, but they’re charging enough money to make money.  They would have charged Chris ~$700/mth for 36 TB.  I don’t see anything wrong with that kind of service.  What I’m wondering about are these $4-5/mth “unlimited” services.

Chris was grandfathered in on that $4 pricing. Are there still services out there that still offer this kind of pricing?  Are they unlimited or “unlimited?”  Do you feel safe keeping your important data there?

My personal opinion is that it’d be a fine place to put a backup.  But I would not want it to be the only backup. That’s my opinion and I’m sticking to it.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Distributed Ledger (e.g. BlockChain) expert explains how to use it for security (Restore it All Podcast #84)

Chainkit Founder & CEO Val Bercovici returns to the podcast to build on what we learned last week. This week we talk about how distributed ledger technology (such as the one in BlockChain, but there are others), can be used to increase security. We talk about the SolarWinds hack and how that could have been prevented using such technology.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Blockchain expert explains blockchain & distributed ledgers (Restore it All Podcast #83)

We invite blockchain expert Val Bercovici, Founder & CEO of ChainKit, on the podcast to explain the basics of distributed ledgers, as well as the biggest distributed ledger – BlockChain. He explains what a distributed ledger is and why you might want one. We then talk about why someone would contribute to such a ledger, meaning why you would volunteer your resources to be part one – a process known as “mining.” Then, as a precursor to our next episode, we talk a little bit about the security possibilities of a distributed ledger.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Using backup to refresh your server, laptop, and phone (Restore it All Podcast #82)

Prasanna and Curtis discuss the importance of occasionally refreshing your hardware (or virtual hardware) and how important backup in in that scenario. There are many modern tools that can help you migrate from one thing to another (e.g. iPhone migration), but you’d better also have a decent backup. We also discuss the pros and cons of TimeMachine. It’s nice, but not perfect. (Still better than anything in WIndows, though.)

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Netbackup & Rubrik User Tells Their Story (Restore it All Podcast #81)

Julie Ulrich, Systems Engineer at Farm Bureau Insurance of Michigan, joins us on this episode to talk about her experiences with NetBackup and Rubrik in her world. She’s been working in backups for over 25 years, so has seen a number of iterations of both products. We talk about many of the challenges she had with NetBackup that led her to considering Rubrik, as well as the pros and cons of using Rubrik. We also talk a little about her concerns about Microsoft 365.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Scary data loss stories (Restore it All Podcast #80)

These are the kinds of stories that keep you up at night. UK police deleted hundreds of thousands of records. Sysadmin accidentally deleting thousands of users. A new backup “feature” that made the backups worthless. The infamous story of Toy Story getting deleted with no backups! All this and more!

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

The Very Tape-Centric Backup Views in Finland (Restore it All Podcast #79)

In another fascinating look into a very different world (backup-wise), we are delighted to have Timo Piiparinen from Multicom in Finland. He’s been in the IT industry for over 40 years at the same company! TImo gave us a fascinating look into a very different backup world. He makes a case for tape in the backup system (something I gave up on a while ago) because he’s using a backup software vendor that didn’t give up on the medium and actually innovated for it. Using a unique multiplexing setup that used flash disk as a big cache for the tape, very large block sizes, and what he called read-optimized writes, they run these tape drives at over 650 MB/s during backups and can guarantee restore speeds! He and I spar a bit over the value of disk during DR, and his position was that this was only necessary for the most critical systems. He’s a fan of tape, which is hard to find these days. TImo will be back.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Stop ransomware in its tracks with DNS, DHCP, IPAM (Restore it All Podcast #78)

We welcome Andrew Wertkin, Chief Strategy Officer of BlueCat, a DNS, DHCP, & IPAM (DDI) security company. Like backup, properly securing these parts of your infrastructure are both extremely important – and everyone thinks it’s boring. I knew nothing about DDI before this recording and I learned a ton about the ways that bad actors use these technologies to either attack or exploit your company. Using technologies like Bluecat can actually stop ransomware in its tracks! Andrew explains exactly how ransomware attackers use DNS for Command and Control, and how products like Bluecat can be used to stop them in ther tracks. This is a great episode with a lot of really good information.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Microsoft 365 expert explains why you need to back it up (Restore it All Podcast #77)

Vanessa Toves, a Microsoft 365 expert, joins us again to explain exactly why you need to backup Microsoft 365 and similar services. We talk about how Microsoft is only responsible for that platform; you are responsible for the data. Particular attention is given to the idea that somehow Retention Policies are a substitute for backup. She explains exactly why that is not the case. In fact, her experience with such policies has her struggling to wrap her head around why someone would want to do that.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

Microsoft 365 architecture that needs to be backed up (Restore it All Podcast #76)

Vanessa Toves, a Microsoft 365 expert, joins us on Restore it All to explain the unique architecture of Microsoft 365 (formerly known as Office365). We talk about Teams and Groups, and how many people misuse both. We cover Sharepoint’s role in this as well, and how Exchange Online figures into the picture. This was originally going to just be an overview, but our architecture questions just kept coming, and Vanessa kept answering them. This episode lays a good foundation of what we will cover in the next episode, which will be dedicate to backing up Microsoft 365.

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.