The Business-Technology Weave

Dec 14 2010   12:43PM GMT

Data Breaching and Lessons of Legacy

David Scott David Scott Profile: David Scott

 

I see where the University of Wisconsin–Madison campus had a recent breach necessitating the contact of 60,000 people (according to the Milwaukee Journal Sentinel).  There are interesting twists to this particular breach.

 

First, to set the stage:  A database was “compromised,” and it contained names and social security numbers.  Oops; compromising names and SSNs is rather an embarrassing violation of data’s security – no question. 

Here’s the really interesting – and quite dismaying – part:  UofW used to embed the students’ social security numbers in their student ID numbers.  Hmmm.  That’s bad enough – really unwise.  But further, their present system contained an old file with old photo IDs, names, and the student ID number with the embedded SSN.  You know, just hanging ‘round in case – or maybe because no one remembered it was there… and no system existed that could throw up a flag.

Content management anyone?  A tenet:  If data no longer has business value, relevancy, and use – get rid of it.  Archive it or delete it.  This is a perfect example of legacy data’s liability. 

Lessons of Legacy:  It’s reported that the identities of those who accessed the file remains unknown.  But consider:  There are all manner of systems out there, with “dead wood” files just hanging around.  Who knows what measures of security awareness existed at the time of creation and accumulation of records in those files?  What vulnerabilities exist that we wouldn’t even consider looking for today?  I’d never have thought someone would embed an entire SSN in a larger ID number- seems rather crazy, but I’d just about bet they weren’t the only ones to do something like this back in the day.

Going back and surveying legacy systems and files for larger enterprises can represent a mountain of work – and it’s no small task for SMB and their corresponding smaller staffs – and once undertaken, you might not even expose and correct vulnerabilities to a 100% standard.  This is why it is so critically important these days to mount security from a whole-view perspective, with a whole-view of content.  It is far easier, and much more efficient, to manage as you go.  Construct and secure data within solid systems, and have a CMS system with destruct-dates and archive-dates well established. 

For stuff that no longer has active business or historical value, get it out of the active system; be certain the actions you take are legal – and in accordance with governance (business sanction) – archive it if you must; if you can, delete (destruct) it.

Don’t wait because, today, violating data’s security attains a much higher profile, becomes much wider-spread, and is increasingly unaffordable. 

NP:  Haitian Fight Song, Charles Mingus – Jazz24.org – online; (10:36:02 in length, and it’s jammin’ – I’ll cleanse myself with vinyl/analog later tonight).

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Chuday
    Enjoyed reading your article. Informative
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: