Enough Is Enough! Why Do We Have To Be At Risk?

Enough is enough!

Enough is enough!When Do We Say Enough Is Enough?

Recently Anthem Blue Cross Blue Shield announced that the ‘private’ information of up to 80 million customer was stolen. It wasn’t anything about medical history taken, just all their customer’s personal data. You know, the stuff that can be used to fake someone’s identity and make their life a living hell?

If that wasn’t bad enough, they then announced that the information stolen was not encrypted because it is not required by HIPAA.

Nice try Anthem. You can’t get away with trying to blame someone else for YOUR shortcoming in protecting YOUR customer’s information.

You even go so far as to say:

[blockquote_with_author author=”Joseph R. Swedish – President & CEO – Anthem”] Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack… [/blockquote_with_author]

Yet, somehow these ‘state of the art’ information security systems didn’t encrypt the data while it was all consolidated and at rest. You know, the goldmine of data. It is all neatly organized and pulled together into one place for convenience. Turns out it wasn’t just for your convenience.

Since when did a company need an outside source to tell them that they need to properly protect sensitive customer data?

I’m also looking at you Target, Home Depot, and every other company that has customer data and doesn’t seem to think there is any reason to worry about what could happen, until it does.

Let’s Make This Easy

Here’s a simple flow chart to help you determine if you should protect customer’s data properly:

protect your data flowchart

A very simple flowchart to determine if you should protect your data

[divider]

This isn’t rocket-surgery!

Really it isn’t! A lot of database systems out there have options and features already to enable encryption and other protective measures to ensure the data is safe while in motion, and shocking as it may sound, at rest too.If your database system doesn’t have that, there are entire companies committed to providing that protection as a third party tool.

If you are a company that has customers, you need to step up and get a little more pro-active with protecting our information. I’m sure, with all that has been happening as of late, if your website or interfaces wind up going just a little slower because it is secured the majority of your customers would be fine with it.

After all, it’s not like you are rushing to get protective services to the customers in the aftermath. I mean come on! Anthem is snail mailing their customers with details on how to obtain free credit monitoring and identity protection services from them. Nice, but that still leaves plenty of time for the stolen data to be used before the customer can get anything into place.

Is it seriously just about the bottom line?

It sure seems that way. Forget about the customer. Geez, we have 80,000,000 of them! Just get the systems going as fast as possible so that people don’t complain and go to someone else with their money! It’s high time companies start treating us all like humans again, not just numbers stored in an improperly secured database, and to protect their data. Our data.

[divider_top]

[content_box color=”#888888″]Chris Bell, SQL Server MVP, MCSE & MCITP, is a 20 year veteran of using Microsoft products & SQL Server to create solutions for businesses, organizations and individuals. Chris speaks, blogs, writes articles and makes media of all kinds regarding SQL Server at WaterOxConsulting.com.

Click here to contact Chris or to follow him on twitter.

Chris is also the founder of WaterOx Consulting, Inc. which features SQL Server consulting services along with the destination location week-long training series: SQL Summer Camp.

He is the founding president of PASSDC and organizes the annual SQLSaturday in Washington D.C. and Nova Scotia, Canada. Chris frequently speaks at and attends SQL Server events, sharing his passion for all things SQL Server.

In 2012 Chris was a finalist in the worldwide Exceptional DBA competition and in 2014 he received the Microsoft MVP award in recognition of his open sharing of his knowledge with the technical community. His blog is currently syndicated to SQLServerCentral.com and ToadWorld.com[/content_box]

Comments 10

  1. Pingback: Enough Is Enough! Why Do We Have To Be At Risk? - SQL Server - SQL Server - Toad World

  2. im not in computers. I was in medicine / education and am now just a typical consumer. I have been affected by each of the companies you mentioned above. The latest Home Depot data loss is causing my bank to reissue our debit/credit cards with PINs they have chosen for us. If we want to change a PIN to one that we will remember it, we are forced to go in to the bank and change it in person during business hours.
    Anything you IT professionals can do to put a stop to this rampant thievery of our personal information will be greatly appreciated by us “average” consumers.

  3. Post
    Author

    I feel that a lot of the issue is not IT professionals not making the efforts to protect the data. I strongly believe it is more that companies are focused more on minimal compliance vs. minimal risk.

  4. from http://www.securityarchitecture.com/anthem-breach-enabled-by-compromising-administrator-credentials/ :
    Much has been made in the press of the fact that the data stolen from Anthem was not encrypted (which is recommended but not required under HIPAA). If the retrieval of the data occurred using administrator accounts, however, then any database-, drive-, or server-level encryption of data at rest would have been irrelevant because such data is typically decrypted on-the-fly when it is accessed by authorized users. The type of encryption advocated to protect health data is most useful to mitigate the physical theft of computers, hard drives, or removable media (such as backup tapes), or to safeguard sensitive data contained in database extracts or files to be electronically transferred from one location to another.

  5. At-rest data probably isn’t the concern here though since the data probably wasn’t stolen at rest. It was probably queried out. It’s possible it was stolen at rest by either stealing the backup file or turning off sql long enough to copy the files. However, most data is stolen through querying, in which case encrypting at-rest data won’t do anything for you.

    Row-level security/encryption is probably what these guys needed. Protect it with a cert and limit the access. However, at some point your data will be stolen even like this because if it’s an acct that was compromised then the acct probably has rights to decrypt the data. But if you do it right you can greatly minimize the damage by using a different cert for each customer or group of customers.

    This kind of security is a layered approach. The perimeter has to be secured better. The apps have to be secured by not storing pwords in config files and taking real steps to prevent injection. And SQL itself has to be secured by using SPs and locking down perms (view definition for example). You can also handle your errors to prevent them from being pushed back to the apps. It’s a common injection technique to use info obtained in errors to gain more knowledge about the system. Encrypt traffic between the DB and the apps. Setup IPsec.
    But encrypting at-rest data doesn’t really add anything to the equation unless they’re stealing the files themselves. I say that because everyone always thinks TDE. What you need is the solution I outlined above with row-level security and certs. Throw SPs and network encryption in there as well and you can greatly minimize the damage.

  6. This will continue until the victims get
    1) one year of lifelock
    2) compensated for time and trouble say $50 in cash each.
    3) personal Errors and Omissions claims against the CEO and Board of Directors.

    If there is a problem, it comes down from the guys making the big money. It should be the guys making the big money that pay. The money for these payments should come out of the Bonus pool for the CEO and BOD.

  7. Post
    Author

    Data at rest, in motion, stolen by admin accounts will full access, or data presented in a way that can’t obfuscate itself when exported / removed from an actual system. There are as many ways to get into the systems and get the data as there are to protect them. This is one of the reasons separation of duties is yet another often forgotten / ignored layer of protection by getting one person to do as much as possible. Proper separation of duties would imply that someone managed the keys and access, someone else administered the data, and yet another person used the data and so on and so on.

    Security is really just a way to make your systems and data harder to get to so hopefully the person trying to take the data has a much harder time, can more easily be detected and the person goes on to another system that is easier to deal with.

    There is no magic bullet, and there probably never will be.

    My commentary is more on the ‘laziness’ of minimal effort to comply trumping the “common sense” of dealing with people as people, not just data points.

  8. Pingback: Why do We Have to Be at Risk? Enough is Enough! - SQL Server - SQL Server - Toad World

  9. I feel that the real issue isn’t that they have mismanaged data but that they actually hold data.

    Seriously, why do they need peoples data?

    Companies collect data and personally identifiable data at that, and keep it but there is no need – if I order something, send it to me then anonymise my data.

    I am happy to have things like address shortened to neighbourhood or town for example but they don’t need to keep data long term.

    Why store cc numbers?

    If t is all just to make end users experience better then we are all responsible for that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.