I see where the University of Wisconsin–Madison campus had a recent breach necessitating the contact of 60,000 people (according to the Milwaukee Journal Sentinel). There are interesting twists to this particular breach.
First, to set the stage: A database was “compromised,” and it contained names and social security numbers. Oops; compromising names and SSNs is rather an embarrassing violation of data’s security – no question.
Here’s the really interesting – and quite dismaying – part: UofW used to embed the students’ social security numbers in their student ID numbers. Hmmm. That’s bad enough – really unwise. But further, their present system contained an old file with old photo IDs, names, and the student ID number with the embedded SSN. You know, just hanging ‘round in case – or maybe because no one remembered it was there… and no system existed that could throw up a flag.
Content management anyone? A tenet: If data no longer has business value, relevancy, and use – get rid of it. Archive it or delete it. This is a perfect example of legacy data’s liability.
Lessons of Legacy: It’s reported that the identities of those who accessed the file remains unknown. But consider: There are all manner of systems out there, with “dead wood” files just hanging around. Who knows what measures of security awareness existed at the time of creation and accumulation of records in those files? What vulnerabilities exist that we wouldn’t even consider looking for today? I’d never have thought someone would embed an entire SSN in a larger ID number- seems rather crazy, but I’d just about bet they weren’t the only ones to do something like this back in the day.
Going back and surveying legacy systems and files for larger enterprises can represent a mountain of work – and it’s no small task for SMB and their corresponding smaller staffs – and once undertaken, you might not even expose and correct vulnerabilities to a 100% standard. This is why it is so critically important these days to mount security from a whole-view perspective, with a whole-view of content. It is far easier, and much more efficient, to manage as you go. Construct and secure data within solid systems, and have a CMS system with destruct-dates and archive-dates well established.
For stuff that no longer has active business or historical value, get it out of the active system; be certain the actions you take are legal – and in accordance with governance (business sanction) – archive it if you must; if you can, delete (destruct) it.
Don’t wait because, today, violating data’s security attains a much higher profile, becomes much wider-spread, and is increasingly unaffordable.
NP: Haitian Fight Song, Charles Mingus – Jazz24.org – online; (10:36:02 in length, and it’s jammin’ – I’ll cleanse myself with vinyl/analog later tonight).