Failure Note: The Backup Restored the Wrong Company

The files came back. So did departed users, obsolete permissions and records from an entity that no longer belonged in the environment.

The answer

A private investment group suffered a destructive cloud incident. The infrastructure team selected the most recent clean backup and began restoration. By Saturday morning, shared drives, mail archives and identity configuration were available.

Friday, 18:40 — service lost

A private investment group suffered a destructive cloud incident. The infrastructure team selected the most recent clean backup and began restoration. By Saturday morning, shared drives, mail archives and identity configuration were available. The technical recovery was declared a success.

Saturday, 11:15 — the first anomaly

A finance operator saw a former joint-venture folder. Another found a departed executive in an approval group. A third noticed a bank instruction template carrying an entity name retired eighteen months earlier.

What the backup actually represented

The backup had captured a moment in technology, not a valid state of the institution. Since that moment, entities had been sold, mandates revoked, litigation holds added, counterparties changed and access narrowed. Restoration reanimated all of it at once.

The system recovered availability while corrupting authority.

The hidden assumption

Backup programmes usually test whether data can be returned. They rarely test whether the returned data is still permitted to exist, whether restored users should retain access or whether the restored configuration matches the current legal perimeter.

This is especially dangerous in structures with acquisitions, separations, trusts, special-purpose vehicles and shared administrative teams. “Our data” is not one stable category.

The interruption control

- Maintain a dated authority baseline separately from the backup itself.

- Classify systems and datasets by entity, owner and post-separation rule.

- Restore into quarantine before reconnecting identity, integrations or external communications.

- Reconcile current users, mandates, retention holds and legal boundaries before release.

- Require operational and legal acceptance, not only a technical success signal.

The restoration passport

Every critical backup set should carry a short passport: captured date, entities included, identity snapshot, encryption custody, known exclusions, superseding authority changes and the person permitted to authorise production release.

A backup answers, “Can we reproduce the past?” Continuity requires a second answer: “Which parts of that past may return?”

Sources

  1. NIST — Contingency Planning GuideNIST

    Primary authority

  2. FINMA — Operational risks and resilienceFINMA

    Primary authority

Ross BelhommePartner, Svperior / Legal

Adam J. De Collibus

Adam co-founded Svperior and leads systems engineering from requirements through implementation. His work connects architecture, implementation, deployment, and operating discipline across complex environments where failure must be anticipated and technical capability must remain dependable under pressure.

Systems engineering / Technical architecture / Production operations / Operating resilience

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
Failure Note: The Backup Restored the Wrong Company