Database hacking: The year that was
Have you ever been to the Privacy Rights Clearinghouse site? It tallies all the data breaches that have occurred in United States since 2005. What you read there is really scary…
I decided only to look at the past 12 months – 651 breaches, an average of 2 per day. Not a number I like to live with.
They were all there: Visa, Adobe, LinkedIn, etc. — all the big ones we heard about and the small ones we didn’t. Remember, these are only the ones made public. What about all the breaches that haven’t been announced – or discovered? Let’s say 50% – based on the success rate of the known breaches.
My first impulse was to seriously reconsider online shopping and dramatically reduce my online accounts. Apparently, all my private data is potentially an open book-¦my credit card numbers, my medical files, all the personal information we entrust to organizations. Sadly, they often don’t live up to our trust.
A brief look into what caused the exposure of this personally identifiable information (PII) reveals disheartening facts:
- “An unauthorized party accessed WTH’s booking system by misusing the log-in credentials of an authorized user. Encrypted credit card numbers and expiration dates were stored there and could be decrypted in the system were exposed.”
- “Names and Social Security numbers were discovered on the website of the Department of Health Care Services.”
- “A dishonest employee working in the billing department used her position to access account information. She scanned checks and identification information from…”
- “A dishonest volunteer was caught passing patient information to people who used it to file fraudulent tax returns. The volunteer used his smart phone to capture patient records while working in an emergency room.”
Database breaches happen every day – internally, from dishonest employees and subcontractors, to external sources such as hackers using SQL injections, worms infecting public web sites, massive phishing attacks, and targeted attacks on financial institutions and defense organizations.
The more I read, the more I thought: “Why don’t the database administrators understand how vulnerable their records really are? Why isn’t the person at the company responsible for oversight in all other departments also ensuring electronic records are just as secure?” After all, these attacks aren’t a new phenomenon.
Instead of incurring damage-control related expenses such as hiring lawyers and public relations teams after their databases have been penetrated, it would be much easier, much-much cheaper and for sure more ethical to take serious prevention measures to stop these attacks from happening.
The technology exists and is readily available. Companies can find affordable database security providing dynamic data masking, separation of duties, database firewall, application security, and database activity monitoring. Just look for it. It’s there.
Author: David Maman, CTO of GreenSQL.