Posted by: Arian Eigen Heald
Admins and Auditors, Database security, Identity theft, IT audit, Security
The year 2007 was a banner one for personal data theft, especially credit card info (think TJMaxx) and individual personal data being lost all over the place. Big and small, the number is in the millions. The Identity Theft Resource Center estimates the number of lost or stolen personal information records to be 79 million, up from 20 million in 2006.
The bad guys are getting data off of laptops, phishing emails etc, but that’s petty numbers. The real motherlode of data is inside databases.
Where do you think the TJMaxx thieves got their 90 million credit card records? Not from sniffing wireless transactions. Oh no. They got into the network, then into the servers, then into the database(s) holding that data, which were, I betcha, unencrypted. And the only reason they got caught was because the “mules” for the thieves got sloppy about purchasing large amounts of products in stores to exchange for cash. TJMaxx wasn’t watching their databases (or anything else, seemingly).
So when people ask me why I care about database security during an IT Audit, there’s my answer. And the fact that internal data theft is a significant percentage of the overall numbers.
Who has access to your HR, payroll and client information? The temp? The CEO’s secretary? The guy in accounting? If you were losing data, how would you know? Those bad guys don’t want to be found.
Is your payroll database on the same server as the database accessed by your web server? (Saw that one last year)They’ll get your client data and all your employee information, too.
If I had to choose between the network engineer and the DBA to guard my personal data, I’d be choosing the DBA.
Next: Medical Identity Theft