In this part of the world, three companies “collect and monitor data” to determine if a person is “credit worthy”. They provide a FICO score that is used by companies and institutions to determine the “risk level” of a person applying for a “loan” (perhaps to buy a house).
Sad to say, one company was presumably STINGY or not “technologically savvy” to provide “multiple line of defense” against intruders. Even after two of its subsidiaries were hacked”, the company did NOT report the intrusion to its customers and the general public, most of whom now have to figure what “lies ahead” with their precious private data (such as social security number, credit cards …) “stolen”.
Could this incident have been prevented?
Many years ago, I had to use a “smart card” to enter the office building and to access computers. We were told NOT to use SSN and sensitive information in e-mails. We had to refrain from “printing” documents heedlessly, and to shred” them (or put in “special bins for shredding later”). We had to take courses about
(a) handling different types of data (private, sensitive, classified …)
(b) secure communication channels and/or secure data
One company developed software to “encrypt” or “replace” sensitive data from e-mails, files, database. The “test” environment has to ensure that no sensitive data is “leaked”. A subtle assumption is that “insiders” may explicitly or implicitly be “partners in crime”.
The following are some incidents that happened :
– the backup tape for “personnel data” went missing
The affected personnel had great pains to “correct” their profile
– lap tops containing sensitive information were stolen
The information are not encrypted, or encryption with “weak” keys
– a professor posted SSNs along with the grades
A few mischievous students started “identity theft”.
– without a unique “national” ID, many companies and institutions
use SSN for storing/access records
“Phishing attacks” or “malicious companies set up with the intention of getting credit reports from unwary job seekers
– a credit card was used “in rapid succession” at a different state
or outside the country
Some credit card companies are good in sending “alerts” about “fraudulent uses”.
The “bug fix” made by a “professor” was NOT properly reviewed and validated.
I have touched only the surface of the “security problem”.
Professor Dr. Than Tun was asked “Why should we learn History?”
He replied, “To ensure that one is not stupid or dumb”.
To paraphrase, “Why should we learn about Computer & Data Security?”
“To save countless people from having sleepless nights. Losing one’s identity, assets … is intolerable”.
U Khin Maung Zaw (KMZ, EC76) wrote :
One of the first work items on the Data Security is the classification of the data, it depends on what kind (or items) of data is collected/stored in a given application, At some point, it is termed ‘Data Asset’ and have several categories as below.
HBI – High Business Impact
MBI – Medium Business Impact
LBI – Low Business Impact
PII – Personally Identifiable Information
HSPII – Highly Sensitive PII
Of course, the above is not the exhaustive list, and is UN, HIPAA – Health Insurance Portability and Accountability Act, has one of the strictest regulatory requirements.