Personally Identifiable Information is under attack like never before. In the news recently two prominent organizations—institutions—were attacked. What happened:
- A data breach at a major U.S. Insurance company exposed over a million of their policyholders to identity fraud. The data stolen included Personally Identifiable information such as names, Social Security numbers, driver’s license numbers and birth dates. In addition to Nationwide paying million dollar identity fraud protection to policyholders, this breach is creating fears that class action lawsuits will follow.
- A U.S. State experienced a data breach in which the personal information of 3.8 million taxpayers was exposed, including Social security numbers and bank account data. As a result, a U.S. Government Agency has been blamed for not providing adequate compliance standards to address the changes in technology and data security.
Let’s look at the underlying vulnerabilities and trends that increase the risk and cost for all organizations—and can be done to protect against the vulnerabilities.
Narrowly followed regulation and compliance standards:
PCI regulation focuses on protecting Credit card data. Tokenization can take care of credit card of data. But it is the social security number and bank account information that is used maliciously for identity fraud. The U.S. State referred to above is compliant with IRS rules, but that did not cover SSN and bank account data. As a result, organizations need to have the tools in place to protect all types of data.
Increased legal fees and lawsuits:
Over the last couple of years, courts have broadened their definition of the damages people can suffer. This makes companies liable for actual and future damages, since identity fraud can occur long after the initial breach. To mitigate the risk, Auditors are asking many parts of the IT organization, including testing/QA as well as application owners to implement additional data security.
Proliferation of systems that now have sensitive data and must be protected:
In many organizations, 8-10 copies of production data are created for training, test and development purposes. Any person who has access to these systems could be used to get confidential data. As seen in the cases above, these test and QA systems are increasingly at risk of being hacked into. And information from these systems is increasingly at risk of being leaked out. A way to address this issue is to permanently mask the data so it is realistic for testing purposes but completely de-identified. As a result, the data does not have any confidential aspects that could be illegally used.
Outdated access control:
Attackers now have very sophisticated ways to capture a person’s username and password. Much stronger access control is required to prevent these types of attacks, especially given the outdated nature of many systems still in use today. Dynamic data masking is a way to prevent this type of access. Dynamic data masking ensure that only non-sensitive parts of a record are displayed to a user (to complete a task) and confidential parts are masked.
How protected is your customer and employee information?
For more information on data security issues in the government, join us for the following webinar: Balancing Openness and Compliance, A Data Dichotomy?