March 3, 2009

Data Security Redux

There have been some fairly big revelations in data security within the last few days, so I'm adding this to my earlier bit.

I'll start with what is shaping up to be a significant data breach at another credit card processor. The names and details have not yet been released, but the OSF Dataloss db blog has put together a timeline of events based on what they've found so far. This comes only a month after a similar breach was discovered at Heartland Security Systems.

After reflecting on things since my first post on data security, I figured that a fraudulent charge that led to my credit card being locked down by Visa late last year was probably the result of a breach like one of those.

Incidentally, this reminds me of a foot-in-mouth moment I had with one of OIT's higher-ups last week. He was talking about how frequent it is that laptops or USB sticks with sensitive are lost or stolen here at the U and how big a hassle it is to notify all affected parties. To help illustrate his point, I pulled out my OIT-issued disaster recovery USB stick and noted how it was not encrypted and it contained what might be considered sensitive information. The look on the feller's face showed he was not pleased with my criticism, and to be fair I was probably out of line. But I guess I felt that accountability in these things is important and I hope that at least the point was made, however tactless I may have been.

The other big revelations have been with the recent discovery of sensitive information on peer-to-peer file sharing networks. Someone runs a bittorrent client on their machine to download movies or music and inadvertently shares other things with the rest of the world. I can see how it would be easy for someone to make that mistake, especially if they don't fully understand how the technology works. There were two cases announced this week.

The first, amazingly...stunningly, an internet security firm named Tiversa found sensitive information about the presidential helicopter on a computer in Iran. It was scooped off a military contractor's laptop over a peer-to-peer network. What was it doing on the laptop and why was a bittorrent client allowed on that laptop?

The second was just as unacceptable. A spreadsheet with sensitive medical information was found on a computer at a collection agency employed by a hospital. This is the stuff that HIPAA aims to secure, so there should be a hefty fine coming along with that one.

Am I too obsessed with this? I guess I want to keep up with data security issues to keep them in the front of my mind. Security needs to be on everyone's minds when they are designing and administering data-driven systems.