HlaMin

Data Security

Written by

Hla Min (Lifelong Learner)

in

by Hla Min

Updated : July 2025

Background

In this part of the world, three companies collect and monitor data to determine if a person is credit worthy. They provide a FICO score that is used by companies and institutions to determine the risk level of a person applying for a loan (e.g to buy a house).

Sad to say, one company was presumably STINGY or not technologically savvy to provide multiple line of defense against intruders. Even after two of its subsidiaries were hacked, the company did NOT report the intrusion to its customers and the general public, most of whom now have to figure what lies ahead with their precious private data (such as social security number, credit cards …) stolen.

Could this incident have been prevented?

Personal Experience

Many years ago, I had to use a Smart Card to enter the office building and to access computers. We were told NOT to use SSN and sensitive information in e-mails. We had to refrain from printing documents heedlessly, and to shred them (or put in special bins for shredding later).

We had to take courses about
(a) handling different types of data — private, sensitive, classified …
(b) secure communication channels and/or secure data
(c) integrity

One company developed software to encrypt or replace sensitive data from e-mails, files, database. The test environment has to ensure that no sensitive data is leaked. A subtle assumption is that insiders may explicitly or implicitly be partners in crime.

Some Incidents

  • the backup tape for personnel data went missing; The affected personnel had great pains to correct their profile
  • lap tops containing sensitive information were stolen; The information are not encrypted, or encryption with weak keys
  • a professor posted SSNs along with the grades; A few students started identity theft
  • without a unique national ID, many companies and institutions use SSN for storing/access records;
  • Phishing attacks or malicious companies set up with the intention of getting credit reports from unwary job seekers
  • a credit card was used in rapid succession at a different state or outside the country; Some credit card companies are good in sending alerts about fraudulent uses.
  • A bug fix made by a professor was NOT properly reviewed and validated

Rationale

I have touched only the surface of the security problem.

Professor Dr. Than Tun was asked “Why should we learn History?”
He replied, “To ensure that one is not stupid or dumb”.

To paraphrase, “Why should we learn about Computer & Data Security?”
“To save countless people from having sleepless nights. Losing one’s identity, assets … is intolerable”.

U Khin Maung Zaw (KMZ, EC76) wrote :

One of the first work items on the Data Security is the classification of the data, it depends on what kind (or items) of data is collected/stored in a given application, At some point, it is termed ‘Data Asset’ and have several categories as below.

HBI – High Business Impact
MBI – Medium Business Impact
LBI – Low Business Impact
PII – Personally Identifiable Information
HSPII – Highly Sensitive PII

Of course, the above is not the exhaustive list, and is UN, HIPAA – Health Insurance Portability and Accountability Act, has one of the strictest regulatory requirements.

Posts

  • Data Processing
  • Data Types
  • Fraud
  • Malware
  • Regulation
  • Security

Comments

Leave a comment

More posts