Cybersecurity, Breaches, Data Retention and Responsible data storage
Over the past few years we have been inundate by large and ever growing data breaches that have affected countless people and have the potential to affect them for all of their lives. Some of the breaches are reported but countless go unreported.
Data Security unfortunately has been mandated and enforced by a mixed bag of federal, State, and various regulating agencies. Some are regulated by the FCC, Some by the Gramm-Leach-Bliley Act, (GLB for financial) HIPAA, for Healthcare, and even as far as the Children’s Online Privacy Protection Act. (COPPA)
Every state has a patchwork mix of what can and can’t be done, but most have limited enforcement.
So what do we do to protect and prevent the ever increasing data breaches? How can we keep China, North Korea, or even U.S. resources from exploiting data?
- To protect sensitive data, DON’T put in on a machine with INTERNET access.
- Online Banking has been secure, but security questions need to be user defined.
- Bank Cards need a security chip.
- Even on an intranet connection, HTTPS, SSH, SFTP, Dumb Terminals should be used.
- All personal Data should be encrypted.
- Data that has not been accessed in 6 months to a year should be migrated to a storage server removed from the rest of the active system.
- The PIN and CCV number should NEVER be allowed to be stored by any retailer. Once the retailer gets an approval number, then that should be the ONLY data stored.
- Card readers should be mandated to remove/ignore/mask this data from swiped cards. The intent was extra security online, not an extra 3 numbers for a card.
- Banking cards used for shopping data (connected to Shopping discount cards) should be required to be stripped from identifying data. Marketing should be done ONLY on shoppers cards or tied to a bank card on Opt-In.
- Adopt Mandates on data security for employees based on the employee group. HIPPA has the Minimum Necessary Requirement as a part of this. Most employees do not need access to customer personal data, ever. (If there is a legitimate reason a manager/supervisor should log in)
- Public Utilities such as electric generating stations, Nuclear Plants, Hydroelectric dams, Pumping stations all should not be put on the internet. (the only reason for this is to make 1 person do the monitoring job of 5 or 10, and cut costs increasing risk)
- Mandate a review of access log files. Patterns of unusual access, late night/non operation periods.
The reasons we are not doing this… (or taking 3+ years in the case of the DHS) is simple.
- Government agencies have been pushing for back doors or less protection because they want free access to the information. Weakening the system.
- It is easy to pull data; it can be more expensive to secure it.
- Companies offer “Credit protection program” from a third party. This is for 2 years. This costs them less then $5 a month and is cheaper then fixing the issue. If your 20 and get your data stolen, including Social Security Number, Based on life expectancy of 78 years, have 58 years of risk, with only 1 or 2 years offered as “Monitored”
- Companies, Hospitals and the Government buys cheap mass marketed Computers. Most have exposed USB ports and even if “Turned off” on a windows system, it still reads an inserted USB due to plug and play auto reading it, risking malware. Next time you visit a hospital emergency room look and see if the back of the PC is on the desk and facing you? (Insecure Machines that have personal data should not have ANY external USB/writable drives)
- Encryption secures data but requires more computing power and time. Accessing the data and encrypting the data is processor intensive. (faster data access and faster customer service Vs. Slower but secure) Most companies choose speed over security.
And Last… Because they don’t have to.
In the end, if it costs less over time for a company, and they are not mandated, and it’s just people being harmed, there is no incentive to fix the issue. They rely on the customers 30 second attention span.
We should Mandate a Data Breach fund like the “asbestos trust funds” that any company who has a data breach MUST put in a trust fund a set dollar amount per each customer record accessed, per each breach, and you will see data security change for the better.
Below are a few years of data breaches.
- Sony – failed to protect over 100 million user records.
- Epsilon – a cloud based email service, estimates are that 60 million customer emails addresses were breached.
- Sutter Physicians Services. –4.2 million patients medical details–including name, address, phone number, email address and health insurance plan name. “The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location),”
- Tricare and SAIC. – Non encrypted backup tapes data were stolen from the car of a Tricare employee. Much of that data related to 4.9 million current and retired members of the armed services, as well as their families.
- New York State Electric & Gas Co. – 1.8 million files that contained customer Social Security numbers, dates of birth and bank account number.
- Global Payments, Inc. – 1.5 million payment-card numbers.
- California Dept. of Child Support Services – records of 800,000 adults and children on four computer storage devices.
- The U.S. Federal Reserve – sensitive credentials of 4,600 banking executives.
- The St. Louis Federal Emergency Communications System – both the system login details and private information
- Washington State Court System – Up to 160,000 social security numbers and the details of one million driver’s licenses
- Target – initially reported as theft of 40 million Target customers’ credit and debit card numbers, the number stolen evolved to 70 million.
- The U.S. Department of Homeland Security – Social Security numbers, birth dates and names were unprotected and at risk, since 2009 and just fixed in May 2013
- Goodwill Industries – 868,000 payment cards.
- Neiman Marcus – 350,000 Credit Cards.
- The Home Depot – 56 million card records and email addressed were hacked
- JPMorgan Chase. – 76 million households and 7 million small businesses. Stolen personal data included addresses and phone numbers.
- Community Health Systems – information on 4.5 million patients was stolen including names, birth dates, addresses, telephone and social security numbers.
- EBay – 150+ million records compromised.
- University of Maryland – 310 thousand names, Social Security numbers, dates of birth
- Federal Office of Personnel Management (OPM) – July 2014: OPM investigates a breach of its computer networks dating back to March 2014
- Anthem Inc. – 80 million health insurance customers, names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and employment information, including income data
- Federal Office of Personnel Management (OPM) – 14 million employees and their personal information, Information of family and friends, military security clearances, and medical records. (this is the second time in just over a year)
The OPM is agency responsible for gathering personnel information on federal employees and granting security clearances. The OPM didn’t use encryption or other technology to protect the Social Security numbers of federal workers.
*** Update – The OPM breach has increased to 21.5 million ***