By Karl Lesser
While the press writes stories about sinister Russian/Chinese/North Korean "state sponsored" hackers who steal personal data, the real cause of these crippling data thefts has nothing to do with these mysterious individuals.
I have been working as an independent consultant in the field of data integration for almost 30 years. During this time I have had access to over 35 million individuals’ personal information - without ever being authorized to do so.
This type of data is rarely secured and almost always stored on unsecured computers scattered throughout organizations or government agencies. I never paid much attention to this until August of 2013, when I found my own name, my wife’s and my children’s information (birthdates, SSN, home address and even more sensitive data) inside unsecured computers at a client. Over 50 unauthorized individuals, in addition to me, had access to this information.
When I advised the client’s management about this potential threat, I was told to stop worrying because everyone there is an honest person. At that time this client had over 2 million records that were at imminent threat of being breached or leaked.
I resigned from that assignment about a week after the incident and moved on to another new client; again within three days I had unauthorized access to the full personal information of over 7.5 million people. As in every other case, the data had been copied to unsecured computers where over 100 unauthorized individuals were able to access it freely.
The real problem is not really the external hacker, the unauthorized employee, the unauthorized contractor/intern/volunteer or the Chinese/North Korean super cyber spy.
The root cause of all data breaches, data leaks and data hacks is sensitive information stored in unsecured computers in unsecured, raw form. The technology responsible for this is referred to as “Data Warehousing,” also often called “Business Intelligence”. When data is collected from the US consumer it is primarily stored in secured databases where data access is controlled by applications with strict security features. These features define who can do what with any given data element.
Business Intelligence technology connects with a data pump (called Extract-Transform-Load or ETL) to the secure database, bypassing the application’s security features. The raw data is then copied to unsecured computers and file servers where contractors and employees have unfettered access to this data.
Typically the data is copied into a so-called “Development” environment that is not monitored, meaning that no audit trails of data being viewed and extracted exist. As a result, many organizations that have already suffered a data breach, data leak or data hack do not even know that such an event has occurred. For example, neither of the organizations that I mentioned above would be able to determine if a data breach has occurred in their systems.
This problem is not an exclusive to the field of healthcare and health insurance; it affects all organizations and government agencies that collect and store Personally Identifiable Information (PII) and Protected Health Information (PHI).
I have frequently come across unsecured PII in banks, mortgage companies, schools, universities, telecommunications and personal insurance companies.
Karl Lesser is president & CEO, Organization for Data Security USA, Inc.