There has been a great deal of publicity in the UK today about the authorities finally establishing the existence of a database holding information about itinerant workers in the UK building industry. This information was syndicated to potential employers for vetting of “trouble makers”. This is not a database attack. The data held about the individuals’ breaks data protection regulations – this sort of human resources information is highly regulated.
This is not the first time that sensitive information is assembled by a trusted third party so that other organizations can utilize it. Consider the credit industry – individual banks are unwilling to share information about their customers to competitors, but they are willing to share to a trusted third party who can combine others’ information and then provide a central credit reference check.
As I wrote above, despite the media attention, this I not a database attack. This incident was not caused by inappropriate use or release or leakage of data, but simply by the inappropriate data being collected in the first place.
Now if only we could find a Data Capture Protection system that was compliant with all possible data protection laws …
Friday, 6 March 2009
Tuesday, 24 February 2009
A New Dawn
I have just returned from spending time with my colleagues in the US to breaking news this morning of another huge breach of data at a credit card processing company. This comes within a few months of the record-breaking Heartland breach and the fast and furious RBS Worldpay loss of $9m within an hour.
Credit card security worries me on two levels and was brought straight to the front of my mind several times last week in restaurants, gas stations and stores.
At a corporate level, processors are clearly being targeted by highly effective criminal organisations who have recently been frighteningly effective with slow as well as fast attack strategies. What they all have in common, though, is that disclosure to the members of the public that their own data may have been compromised was late and seemingly reluctant. But at least it happened. There remain states in the US which, like the UK, still refuse to adopt breach disclosure legislation.
On an individual level, I was worried each time I offered up a credit card last week and it was taken from my sight. This makes data theft at the single card level possible and is a thing of the past in Europe, where terminals are brought to the customer and PIN numbers have replaced signatures. My card could have been swiped for duplication on a dozen occasions in New York and New Jersey last week in a way that would be impossible in Oxford today.
The overwhelming sense of promise I felt in the US gives me enormous hope though. President Obama has announced a $790bn stimulus package with $35bn set aside for IT. He also has earmarked $22bn for an integrated healthcare IT infrastructure – showing what a truly brave man he is, judging by the history of the UK challenges in this area.
Obama has a golden opportunity in troubled times. He is uniquely positioned to drive the US to a position of leadership on all matters around IT security. A land which so values the freedom of the individual should be taking the lead in ensuring that the citizen is informed quickly and fully whenever any of their data is compromised. Given that data theft is an international business - US financial and personal data is so often stored and processed off shore – then he needs to drive such regulations internationally.
I think he can lead these much-needed changes – and I believe he will.
Paul Davie
Monday, 16 February 2009
Physician heal thyself: Syringing a Database
I have recently returned from vacation involving riding a motor cycle in South America for three weeks. During my trip I did have the challenge to go in search of a syringe – but this was not used for injection. The syringe was used to drain the fluid off the swollen knee from a fellow rider in the group.
It seems that whilst I was away “virtual syringes” have been used for both injecting (into SQL statements and web sites) and draining the lifeblood – not from a swollen knee joint – but the data from a corporation. This common “procedure” – like its human counterpart – if carried out with skill, is quite painless leaving the patient with no real idea as to how much has been extracted.
Having the contents of a database sucked out and sprayed over the Web is not a good thing – particularly if your business is security. It is a shame that this time the syringing operation was performed on a patient who should have known better.
Secerno's SynoptiQ powered DataWall ensures that every syringe is prevented from entering the skin!
It seems that whilst I was away “virtual syringes” have been used for both injecting (into SQL statements and web sites) and draining the lifeblood – not from a swollen knee joint – but the data from a corporation. This common “procedure” – like its human counterpart – if carried out with skill, is quite painless leaving the patient with no real idea as to how much has been extracted.
Having the contents of a database sucked out and sprayed over the Web is not a good thing – particularly if your business is security. It is a shame that this time the syringing operation was performed on a patient who should have known better.
Secerno's SynoptiQ powered DataWall ensures that every syringe is prevented from entering the skin!
Subscribe to:
Posts (Atom)
